Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Log - AdamBuffalo


  • This topic is locked This topic is locked
16 replies to this topic

#1 AdamBuffalo

AdamBuffalo

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 29 December 2004 - 09:47 PM

Hello everyone,
Im having some serrious problems with my computer. It started when i came back to my apartment after spending a few days with my family, my computer had been shut off the whole time. When i rebooted I began getting all sorts of stragne errors, first, my virus protection / firewall software, McFee 2005, wouldnt load and gave me an error saying that componants were missing and I needed to re-install. A friend of mine had installed the program for me about a month agao and didnt leave a disk so i attempted to uninstall Mcafee and go back to norton which i had on hand. Mcafee wouldnt uninstall completely and still gives me errors about missing componants on each reboot, but no longer appears in the add/remove software box. When I tried to install norton I was told that a crucial file was missing or corrupted and that i needed to try again, I recieve norton for free through my school so I downloaded another copy and tried again, same result. I thought at first that since my firewall through mcafee had disapeared that some one or thing outside was somehow blocking me from installing antivirus software, so i downloaded the free version of sygate firewall and installed that. After the reboot required by the install I found that I couldnt open any webpages, and that i couldnt actuall open sygate and adjust the allowable programs, Sygate didnt even open on startup or show up on the running process list from ctrl alt del. I unistalled sygate and my web browsing ability was restored. I have installed updated and run SpywareBlaster, Ad-Aware, and Spybot S+D but I am still unable to install any sort of antivirus software or construct a working firewall. Aslo as an odd side note I think my windows update is corrupted as well as it always offers me the same critical update each time i check it, and no matter how many times i download in install it it still shows up as needed. In addition each time i reboot and run Ad-Aware, the same group of 20 or so programs come up, and with Spybot the same 2 come up, I know they must be hiding in my registry somewheres and probebly in a restore point but i cannot figure out how to make them go away. Please help, I have spent all day browsing various forums looking for people who could help and your site seems to be the most informative and helpfull. Thank you

-Adam
Below is my HJT logfile made from a fresh reboot without running adaware or spybot.


Logfile of HijackThis v1.99.0
Scan saved at 9:32:26 PM, on 12/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\documents and settings\adam\local settings\temp\QU.exe
C:\documents and settings\adam\local settings\temp\u0LHnLu3.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Documents and Settings\Adam\Application Data\poto.exe
C:\WINDOWS\System32\l?ass.exe
C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\PROGRA~1\mcafee.com\mps\mcbrhlpr.dll (file missing)
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SSD2~1\SDHelper.dll
O2 - BHO: (no name) - {7B5CF03C-4FA0-3455-A4D0-40C6FE62C190} - C:\WINDOWS\System32\vhvaoo.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Adam\Local Settings\Temp\H1.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [_AntiSpyware] C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [cbDvx.exe] c:\documents and settings\adam\local settings\temp\cbDvx.exe
O4 - HKLM\..\Run: [QU.exe] C:\documents and settings\adam\local settings\temp\QU.exe
O4 - HKLM\..\Run: [u0LHnLu3.exe] C:\documents and settings\adam\local settings\temp\u0LHnLu3.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Eswh] C:\Documents and Settings\Adam\Application Data\poto.exe
O4 - HKCU\..\Run: [Qgyvbe] C:\WINDOWS\System32\l?ass.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1099463516099
O23 - Service: Symantec Event Manager - Unknown - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (file missing)
O23 - Service: Symantec Password Validation - Unknown - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (file missing)
O23 - Service: Symantec Settings Manager - Unknown - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (file missing)
O23 - Service: McAfee AntiSpyware Real-Time Scanner - Network Associates, Inc. - C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe (file missing)
O23 - Service: McAfee SecurityCenter Update Manager - Unknown - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Unknown - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe (file missing)
O23 - Service: Symantec Core LC - Unknown - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (file missing)

BC AdBot (Login to Remove)

 


#2 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:09:36 PM

Posted 31 December 2004 - 08:29 AM

Hi :thumbsup:

Please uninstall Viewpoint Media Player from Add\Remove Programs.
Removing Viewpoint Media Player may cause the program that bundled it to not function as intended.
About Viewpoint Media Player.


Download System Security Suite here:
System Security Suite Download & Tutorial. Unzip it to your desktop.
Install the program. Don't use it yet.

Please print or copy these instructions because you are not able to access the Internet in SafeMode.

Make sure you are set to show hidden files and folders:
A. On the Tools menu in Windows Explorer, click Folder Options.
B. Click the View tab.
C. Under Hidden files and folders, click Show hidden files and folders.
D. Uncheck Hide extensions for known filetypes and Hide protected operating system files.
How to see hidden files in Windows

REBOOT into SafeMode by tapping F8 key repeatedly at bootup: Starting your computer in Safe mode

Run HijackThis!, press Scan, and put a check mark next to all these:

O2 - BHO: (no name) - {7B5CF03C-4FA0-3455-A4D0-40C6FE62C190} - C:\WINDOWS\System32\vhvaoo.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Adam\Local Settings\Temp\H1.dll

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [cbDvx.exe] c:\documents and settings\adam\local settings\temp\cbDvx.exe
O4 - HKLM\..\Run: [QU.exe] C:\documents and settings\adam\local settings\temp\QU.exe
O4 - HKLM\..\Run: [u0LHnLu3.exe] C:\documents and settings\adam\local settings\temp\u0LHnLu3.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKCU\..\Run: [Eswh] C:\Documents and Settings\Adam\Application Data\poto.exe
O4 - HKCU\..\Run: [Qgyvbe] C:\WINDOWS\System32\l?ass.exe


Close all other windows and browsers, and press the Fix Checked button.

Search for these files and delete them if found:
C:\WINDOWS\System32\vhvaoo.dll <-- this file
E6F1873B.DLL <-- this file
D9EBC318C <-- this file
D0CE0C16B1 <-- this file
C:\Documents and Settings\Adam\Application Data\poto.exe <-- this file

Delete these folders:
C:\Program Files\Viewpoint\Viewpoint Manager\ <-- this folder

With all windows and browsers closed.
Clean out temporary and Temporary Internet Files.
A. Open System Security Suite.
B. In the Items to Clear tab thick:
- Internet Explorer (left pane): Cookies & Temporary files
- My Computer (right pane): Temporary files & Recycle Bin
Press the Clear Selected Items button.
Close the program.

REBOOT normally.


Copy and paste the contents of the following quotebox into Notepad:

dir C:\WINNT\System32\?hkntfs.exe /a h > files.txt
notepad files.txt


Save it as FindFile.bat and save it on your Desktop.

Locate FindFile.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the text here.


Run HijackThis! again and post a new log please.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#3 AdamBuffalo

AdamBuffalo
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 31 December 2004 - 09:58 PM

Hey Cryo, thanks for the help.

Below will be my new HJT log, the last 2 items you asked me to remove with HJT were not present:

O4 - HKCU\..\Run: [Eswh] C:\Documents and Settings\Adam\Application Data\poto.exe
O4 - HKCU\..\Run: [Qgyvbe] C:\WINDOWS\System32\l?ass.exe
I could find neither on the HJT program, but all the others were there and fixed, as for the other log you asked me to return, files.txt, it came up blank, i had an error message in the CMD window that was opened by running the bat file:

The system cannot find the path specified

here is the new HJT log, and thank you again for all your help and time.

Logfile of HijackThis v1.99.0
Scan saved at 9:51:51 PM, on 12/31/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe
C:\WINDOWS\System32\l?ass.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\system32\notepad.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\PROGRA~1\mcafee.com\mps\mcbrhlpr.dll (file missing)
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SSD2~1\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [_AntiSpyware] C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Eswh] C:\Documents and Settings\Adam\Application Data\poto.exe
O4 - HKCU\..\Run: [Qgyvbe] C:\WINDOWS\System32\l?ass.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1099463516099
O23 - Service: Symantec Event Manager - Unknown - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (file missing)
O23 - Service: Symantec Password Validation - Unknown - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (file missing)
O23 - Service: Symantec Settings Manager - Unknown - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (file missing)
O23 - Service: McAfee AntiSpyware Real-Time Scanner - Network Associates, Inc. - C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe (file missing)
O23 - Service: McAfee SecurityCenter Update Manager - Unknown - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Unknown - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe (file missing)
O23 - Service: Symantec Core LC - Unknown - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (file missing)

Thanks again, -Adam

#4 AdamBuffalo

AdamBuffalo
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 31 December 2004 - 10:27 PM

Hello, sorry for the double post
I noticed that the two entries that I wrote I couldnt find,
O4 - HKCU\..\Run: [Eswh] C:\Documents and Settings\Adam\Application Data\poto.exe
O4 - HKCU\..\Run: [Qgyvbe] C:\WINDOWS\System32\l?ass.exe
were both in the new log that i posted to you, neither was on the HJT log when i ran it in safe mode, but since I saw them on my current log I decided to reboot into safe and try again, they were both there so I fixed them, I also re-followed all your previous instructions to make sure that nothing regrew on my HD. I will be sure not to reset or turn off my computer until I next hear from you, I will unplug my network cable to be sure that no one attempts to rehack my computer through the same hole that was previously used, I will check for replys using my laptop that still has a functioning anti-virus protector and firewall installed. I cannot thank you enough for both your time and your help, Happy New Years Cryo, I hope that you are enjoying yourself enough for the both of us, as I am rather frustrated. Thanks again,
-Adam

I wanted to post you a new HJT log showing that I fixed the two troublesome files, but each time I attempt to run HJT I get a windows error saying that HJT has encountered a problem and needs to close. I think that if I reset I will be allowed to run HJT error free considering I did it a few mins ago in safe mode, but I am afraid to reset knowing that I may find that each program I removed has respawned itself and several clones of it, I will await your instructions with my computer unpluged from the outside world.
Goodbye and Happy New Year

#5 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:09:36 PM

Posted 01 January 2005 - 08:08 AM

Download HJT 1.98.2
http://www.bleepingcomputer.com/files/hijackthis1982.php

Put it in a permanent folder (for example HJT 1982)
Run it, and post the log please.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#6 AdamBuffalo

AdamBuffalo
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 01 January 2005 - 01:50 PM

hello,
I got the file you asked me to get, but I get the same error that I was getting when i ran the other HJT. It says HJT has encountered a problem and needs to close, I can reset my computer if you want , but I will wait to hear from you first to make sure theres no other way to fix it
Thanks
Adam

#7 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:09:36 PM

Posted 01 January 2005 - 01:59 PM

Yes, reboot and let me know what happens.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#8 AdamBuffalo

AdamBuffalo
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 01 January 2005 - 02:40 PM

ok heres my new log after a fresh reboot:

Logfile of HijackThis v1.99.0
Scan saved at 2:38:21 PM, on 1/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\PROGRA~1\mcafee.com\mps\mcbrhlpr.dll (file missing)
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SSD2~1\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [_AntiSpyware] C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1099463516099
O23 - Service: Symantec Event Manager - Unknown - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (file missing)
O23 - Service: Symantec Password Validation - Unknown - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (file missing)
O23 - Service: Symantec Settings Manager - Unknown - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (file missing)
O23 - Service: McAfee AntiSpyware Real-Time Scanner - Network Associates, Inc. - C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe (file missing)
O23 - Service: McAfee SecurityCenter Update Manager - Unknown - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Unknown - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe (file missing)
O23 - Service: Symantec Core LC - Unknown - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (file missing)

#9 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:09:36 PM

Posted 02 January 2005 - 05:16 AM

Copy and paste the contents of the following quotebox into Notepad:

dir C:\WINDOWS\System32\l?ass.exe /a h > files.txt
notepad files.txt


Save it as FindFile.bat and save it on your Desktop.

Locate FindFile.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the text here.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#10 AdamBuffalo

AdamBuffalo
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 02 January 2005 - 04:14 PM

ok, heres the text i got back after running the bat file:

Volume in drive C has no label.
Volume Serial Number is 34B2-AC12

Directory of C:\WINDOWS\System32

03/31/2003 07:00 AM 11,776 lsass.exe
12/22/2004 02:21 PM 389,120 l?ass.exe
2 File(s) 400,896 bytes

Directory of C:\Documents and Settings\Adam\Desktop

#11 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:09:36 PM

Posted 02 January 2005 - 04:28 PM

You will find two files with the same name in the C:\WINDOWS\System32\ folder: lsass.exe. One is bad and one is legitimate. You must delete the bad file.
Right click on each file and select Properties.
In the General tab the legitimate file has this Description: LSA Shell, Size = 11,776 bytes Do not delete this file, it is a Microsoft file.

The bad file has this size = 389,120 bytes, and the description is unknown.
The bad file will not appear alphabetically.

If only the legitimate file is visible:

Copy the contents of the Quote Box below to Notepad.
Click File menu -> Save and name the file as unhide.reg
Change the Save as Type to All Files
Save this file on the desktop.


Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer]
"SearchSystemDirs"=dword:00000001
"SearchHidden"=dword:00000001
"IncludeSubFolders"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden"=dword:00000001
"ShowSuperHidden"=dword:00000001


Double-click on the unhide.reg file you saved on your desktop, and when it prompts to merge say Yes.

REBOOT your machine.

Make sure you are set to show hidden files and folders:
A. On the Tools menu in Windows Explorer, click Folder Options.
B. Click the View tab.
C. Under Hidden files and folders, click Show hidden files and folders.
D. Uncheck Hide extensions for known filetypes and Hide protected operating system files.
How to see hidden files in Windows

Look for the bad file and delete it.

REBOOT and post a new hijackthis log please.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#12 AdamBuffalo

AdamBuffalo
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 02 January 2005 - 04:52 PM

hello,
I found the bad file and deleted it, and then rebooted. I was able to see the file and delete it without making the registry file. Hijack this refuses to run, when I click HJT i get an error box:

HijackThis.exe - Entry Point Not Found
The procedure entry point SetWindowTExtA could not be located in the dynamic link library USER32.dll

I did go back to the system32 file and confirmed that the bad file is gone and still is.
Thanks
-Adam

#13 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:09:36 PM

Posted 03 January 2005 - 06:01 AM

Go to Start --> Run, and type cmd in the Open box, then click OK to open a command prompt.
Type sfc /scannow, note the space after sfc.

Insert you original Windows CD in the CD-ROM drive. This will restore your protected system files on your computer.

Can you run hijackthis ?
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#14 AdamBuffalo

AdamBuffalo
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 03 January 2005 - 01:14 PM

I did as you asked and windows replaced some system files and then reset, after the reset I was told that I had a registry error and that my registry had been restored from a previous copy, I was able to run HJT again, here is my new log:

Logfile of HijackThis v1.99.0
Scan saved at 1:11:19 PM, on 1/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\SSD 2\TeaTimer.exe
C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe
C:\HJT\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SSD2~1\SDHelper.dll
O4 - HKLM\..\Run: [_AntiSpyware] C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\SSD 2\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1099463516099
O23 - Service: McAfee AntiSpyware Real-Time Scanner - Network Associates, Inc. - C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe
O23 - Service: Sygate Personal Firewall - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

#15 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:09:36 PM

Posted 03 January 2005 - 01:19 PM

Log looks clean...great job ! :thumbsup: Is your computer OK now ?

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

How did I get infected ? With steps so it does not happen again !
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users