Tech Support Guy banner
Cancel

First Time HJT log

Jump to Latest Follow
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 6 of 6 Posts
C

· Registered
Joined
·
3 Posts
Discussion Starter · #1 ·
OK, this is the first I've really had to use HJT to clean a computer off, so I want to make sure I'm looking for the right things, so I'm hoping you guys can take a look.

We've run Ad Aware SE Pro and SpyBot S&D, Currently using AVG Free on the machine. We're getting a lot of pop ups, including the home page is changed to about:blank, but bringing up one of those PITA search engines. It's also popping up several warnings of a Trojan Horse.

Thanks for the help.

Logfile of HijackThis v1.99.0
Scan saved at 5:09:03 PM, on 1/17/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\windows\system32\sHS.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\sHS.exe
\SHUMWAY1\SharedDocs\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\stcos.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\stcos.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\stcos.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\stcos.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\stcos.dll/sp.html#14044
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\stcos.dll/sp.html#14044
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {367AB86B-4560-ABE0-DA70-7E3A543F553D} - C:\WINDOWS\ipyv32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [appco.exe] C:\WINDOWS\appco.exe
O4 - HKLM\..\Run: [bQHX8f] C:\documents and settings\scott\local settings\temp\bQHX8f.exe
O4 - HKLM\..\Run: [aTu] C:\windows\system32\aTu.exe
O4 - HKLM\..\Run: [sHS.exe] c:\windows\system32\sHS.exe
O4 - HKLM\..\Run: [fM3IhGEbP] C:\documents and settings\scott\local settings\temp\fM3IhGEbP.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1100053816107
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.freedom.net/viruscenter/onlineviruscheck/cabs/cssweb.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BF1D4802-0F53-412B-BA1D-BFB352E9B55B}: NameServer = 68.111.16.30,68.111.16.25
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - C:\WINDOWS\system32\ipwu32.exe (file missing)
 
Byteman

· Gone but Never Forgotten
Joined
·
17,966 Posts
#2 ·
Hi,
Download this to have handy, we will run it later-and in Safe Mode. First unzip all files from the zip folder to a folder or your desktop. Start it and hit ok. Then hit update. A new screen should popup. On that screen hit Check for Updates. If it said it found an update hit Download Updates. If it doesnt it will automatically tell you and exit.
We are not running the rest now...later in safe mode.

http://www.majorgeeks.com/download4289.html

And, download this, same, we will use it later!

http://www.majorgeeks.com/download3019.html

Since these directions will not be available to you then, copy and paste the text here to a Notepad file and save it on your desktop, or print them out.

_____________________________
Now go ahead and set your computer to show hidden files like this:

Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options".
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK

___________________
Though this service should be already gone, let's have you check- go to Start, then Run, type in services.msc and OK it. In the list of services, find

Remote Procedure Call (RPC) Helper--- be careful because there are two legitimate services very similar.

Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services utility.
_____________

Boot to Safe Mode by tapping the F8 key quickly, several times, when you start or restart the machine, just as you see any text on screen. When the startup menu shows, select Safe Mode (only) with arrow key, and then hit Enter key once. Give it plenty of time to get to the desktop.

Run Hijackthis, put checks next to these items, when you have them all click "Fix checked": If you do not see some items, just continue with the steps>

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\stcos.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\stcos.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\stcos.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\stcos.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\stcos.dll/sp.html#14044
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\stcos.dll/sp.html#14044
O4 - HKLM\..\Run: [appco.exe] C:\WINDOWS\appco.exe
O4 - HKLM\..\Run: [bQHX8f] C:\documents and settings\scott\local settings\temp\bQHX8f.exe
O4 - HKLM\..\Run: [aTu] C:\windows\system32\aTu.exe
O4 - HKLM\..\Run: [sHS.exe] c:\windows\system32\sHS.exe
O4 - HKLM\..\Run: [fM3IhGEbP] C:\documents and settings\scott\local settings\temp\fM3IhGEbP.exe
O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - C:\WINDOWS\system32\ipwu32.exe (file missing)

Find and delete these files, from the folders shown: Look hard for them, but continue if you cannot find them> the ones in the temp directory for instance may not be there.

C:\WINDOWS\appco.exe
C:\documents and settings\scott\local settings\temp\fM3IhGEbP.exe
C:\documents and settings\scott\local settings\temp\bQHX8f.exe

c:\windows\system32\sHS.exe
C:\windows\system32\aTu.exe

Navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Next navigate to the C:\Documents and Settings\Administrator (Repeat for all user names)\Local Settings\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

Now, run AboutBuster... Hit start and then Ok. Let it scan and finish--don't restart yet.

Now run CWShredder.exe, it will quickly scan and tell you it removed something, or that the system was clean.

Use the "FIX" button, not scan only.

Boot back into Windows now- just restart normally.

Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Restart your computer.

Go here and do a scan of the whole computer, set the AUTOCLEAN button:

http://housecall.antivirus.com/housecall/start_corp.asp

This hijacker is known to alter or delete certain files so check this out please:

Download the Hoster from here: http://members.aol.com/toadbee/hoster.zip

. UnZip the file and press "Restore Original Hosts" and press "OK". Exit Program.

If you have Spybot S&D installed you will also need to replace one file.
Go here:http://www.spywareinfo.com/~merijn/winfiles.html#sdhelper

and download SDHelper.dll. Copy the file to the folder containing your Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

Check in the C:\Windows\system32 folder to be sure you have a file named Shell.dll. If you do not have one, go to the C:\Windows\system32\dllcache folder.
Find shell.dll and right click on it. Choose Copy from the menu.
Open the System32 folder and right click on an empty space in the window. Choose Paste from the menu.

control.exe may have been deleted.
See if control.exe is present in C:\windows\system32

If control.exe isn't there, go http://www.spywareinfo.com/~merijn/winfiles.html
and download control.exe per the instructions at the site.

IMPORTANT!: Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE: , do this>
At the top on any IE window, select Tools>Internet Options>Security>Default level.

Run scans with AdAware and SpyBot (updated) and let them remove what they come up with.

At this point, post a new Hijackthis log.
You must do what is below also, but post a log now.

__________________
NEXT: You do not have any of the Service Packs for XP...you need to visit Windows Updates, and get all critical updates, and Service Pack One installed to be semi-safe, you can be quickly reinfected without any updates!!!!!!

I would not try for SP2 right now, besides you need SP One first...

__________________
When you are sure you are clean turn System Restore back on and create a restore point.

To create a restore point:

Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.
 
C

· Registered
Joined
·
3 Posts
Discussion Starter · #3 ·
OK, finally got back over here to finish this. My apologies for the delay getting back on the thread.

I followed all of the above, etc. Here's the next log.

I've been wanting to update this computer for a while, but it has a hacked XP copy right now. We're getting a legit version soon, so for now I can't do the updates.

Logfile of HijackThis v1.99.0
Scan saved at 6:20:09 PM, on 2/14/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\r?gsvr32.exe
C:\Documents and Settings\Scott\Application Data\shtr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\All Users\Documents\fix stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://pages.ebay.com/search/items/basicsearch.html?ssPageName=h:h:fitem:US
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {367AB86B-4560-ABE0-DA70-7E3A543F553D} - C:\WINDOWS\ipyv32.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: (no name) - {E1301723-A092-8241-B56D-FA7A91B80EE6} - C:\WINDOWS\System32\xlhe.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [Vsi] C:\WINDOWS\System32\r?gsvr32.exe
O4 - HKCU\..\Run: [Baod] C:\Documents and Settings\Scott\Application Data\shtr.exe
O4 - Startup: Paint.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar4.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar4.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar4.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar4.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar4.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1100053816107
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{BF1D4802-0F53-412B-BA1D-BFB352E9B55B}: NameServer = 68.111.16.30,68.111.16.25
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
 
Byteman

· Gone but Never Forgotten
Joined
·
17,966 Posts
#4 ·
Hi, good work so far. Check this out>

Press CTRL+ALT+DEL keys once, to bring up Task/Process Manager...in Processes, look for paint.exe

You can scan this one file here, just the one file if you can find it> paint.exe (shows in your log as a startup; but perhaps you can locate it on hard drive and have it checked) If not, check the Properties, if recent, it's bad.

http://virusscan.jotti.dhs.org/

"""Run Task Manager and kill the process called PAINT.EXE you will see it was created more recently than your windows version, probably no earlier than July '04.
3. You can use the MS search, or just go to the root of Windows and remove: PAINT.EXE and also PAINT.EXE from prefetch. This one will likely have a string of numbers after it, but still delete it.
4.Windows\Downloaded Installations remove "paintms.exe" """

That excerpt from a thread where someone had this...I don't know if it is what you have, but it's strong suspect starting that way....

________________________
Download> DelDomains

Download »www.mvps.org/winhelp2002/DelDomains.inf

Just leave it sitting on the desktop for now we will use it later...

Boot to Safe Mode as before, run Hijackthis again, have all other browser/IE windows closed, copy the steps to have on your desktop to refer to>

Put checks next to each of these in your scan window on HJT, then click "Fix checked":

C:\Documents and Settings\Scott\Application Data\shtr.exe

C:\WINDOWS\System32\r?gsvr32.exe
O2 - BHO: (no name) - {367AB86B-4560-ABE0-DA70-7E3A543F553D} - C:\WINDOWS\ipyv32.dll (file missing)

O2 - BHO: (no name) - {E1301723-A092-8241-B56D-FA7A91B80EE6} - C:\WINDOWS\System32\xlhe.dll
O4 - HKCU\..\Run: [Vsi] C:\WINDOWS\System32\r?gsvr32.exe
O4 - HKCU\..\Run: [Baod] C:\Documents and Settings\Scott\Application Data\shtr.exe
O4 - Startup: Paint.exe <<(this probably is not mspaint program, if it wasn't you probably deleted it before) so it may not be found.

O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present <<if you or a program did not set these Restrictions, fix them! If you know what program did, undo them so your changes can take affect.

Right-click on the deldomains.inf file and select 'Install'.

This should clear out those trusted entries that will not be removed. Note: In fact this will clear out ALL your trusted and restricted zones entries. If you had any custom entries (like IESPYAD) you will need to re-enter those yourself.

have hidden/system files viewable: and do the temp deletion>

flrman1 said:
Because XP will not always show you hidden files and folders by default, Go to Start > Search>Files and Folders>> and under "More advanced search options".
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Go to Start > Run and type %temp% in the Run box, and OK. The Temp folder will open. Click Edit > Select All then File > Delete to delete the entire contents of the Temp folder.
Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK.
Click to expand...
Next, navigate to the folders holding the files at the ends of lines, and delete these files:

You may not see all of them, that is normal:

C:\Documents and Settings\Scott\Application Data\shtr.exe

C:\WINDOWS\System32\r?gsvr32.exe

C:\WINDOWS\ipyv32.dll (file missing)<make sure, files are not sometimes (more than one copy or location)

C:\WINDOWS\System32\xlhe.dll

When they are deleted, Empty the Recycle Bin.

Restart back to normal mode, run full scan with AdAware and SpyBot.

I would try this online scan also>

http://www.pandasoftware.com/activescan/com/activescan_principal.htm

Post a fresh HJT log, hopefully the last one.
 
C

· Registered
Joined
·
3 Posts
Discussion Starter · #5 ·
OK, couldn't find the paint.exe. I ran HJT again before doing anything just for fun, and it didn't show up this time. Went through everything, and of the 4 files you mentioned at the bottom, the only one present was the first, shtr.exe. Deleted that, ran SpyBot and Ad-Aware, then the Panda scan, it found 6 pieces of spy/ad ware, but nothing else. Here's the new HJT log:

Logfile of HijackThis v1.99.0
Scan saved at 8:04:30 PM, on 2/15/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\mmfutil.exe
C:\Documents and Settings\All Users\Documents\fix stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://pages.ebay.com/search/items/basicsearch.html?ssPageName=h:h:fitem:US
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [mmfutil] C:\WINDOWS\System32\mmfutil.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar4.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar4.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar4.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar4.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar4.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1100053816107
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{BF1D4802-0F53-412B-BA1D-BFB352E9B55B}: NameServer = 68.111.16.30,68.111.16.25
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

As best I can tell, looks like it's clean. Anything else I should do?
 
Byteman

· Gone but Never Forgotten
Joined
·
17,966 Posts
#6 ·
Hi, Nice! If mmfutil.exe is part of the Microsoft Mail as I think it may be, that is a clean log....

In other words, is this:

http://www.filename.info/f/mmfutil.dll.html

what you have there?

If so, and you are pretty sure it's running OK, your next step, if you have System restore running would be to turn that off, restart the computer, and then turn it back on and create a new clean Restore Point, here are the steps:

Please do the following:

Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.Wait for hourglass to stop and it says
"Turned Off"

Restart your computer, turn System Restore back on and create a restore point.

To create a restore point:

Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.
 
1 - 6 of 6 Posts
Status
Not open for further replies.
About this Discussion
5 Replies
2 Participants
Last post:
Byteman
Tech Support Guy
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Hardware Virus & Other Malware Removal Windows XP Off Topic Lounge Thread Games & Discussion
Top