1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

HiJack Log - Need Help!!

Discussion in 'Virus & Other Malware Removal' started by bernard8, Oct 11, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. bernard8

    bernard8 Thread Starter

    Joined:
    Oct 11, 2004
    Messages:
    21
    Hello out there...I need help...I can't open Control Panel, My Computer, My Network Places, etc....system will refresh instead.

    Here is my log....any help would be very appreciated!!

    Logfile of HijackThis v1.98.2
    Scan saved at 1:12:27 PM, on 10/11/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\system32\svchost.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\Program Files\Canon Electronics\Scan Panel\drpanel.exe
    C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
    C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\WINDOWS\System32\?ttrib.exe
    c:\progra~1\mcafee.com\vso\mcvsftsn.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Century\TinyTERM\tt.exe
    C:\Program Files\Microsoft Office\Office\EXCEL.EXE
    C:\WINDOWS\explorer.exe
    C:\Program Files\Pixel Translations\PixUtil\PIXUTIL.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://msaps.dll/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://msaps.dll/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://msaps.dll/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.fastseeker.com/search.html
    R3 - URLSearchHook: MailTo Class - {FDE3577A-6254-181C-4E11-339E4F746BD3} - C:\WINDOWS\System32\wins32t.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {32DA380B-E268-4EC4-8124-61550C85204D} - C:\WINDOWS\System32\rwekmmf.dll (file missing)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
    O2 - BHO: Tubby - {9EAC0102-5E61-2312-BC2D-76746C56544C} - C:\WINDOWS\System32\vtlbar1.dll
    O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O3 - Toolbar: Search Toolbar - {9EAC0102-5E61-2312-BC2D-76746C56544C} - C:\WINDOWS\System32\vtlbar1.dll
    O4 - HKLM\..\Run: [Scan Panel] "C:\Program Files\Canon Electronics\Scan Panel\drpanel.exe" /Stay
    O4 - HKLM\..\Run: [jUsCULbH] C:\documents and settings\camaro\local settings\temp\jUsCULbH.exe
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [WinService32] C:\Program Files\System32\svchost.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [Rgbvr] C:\WINDOWS\System32\?ttrib.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZRxdm087
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1093893892078
    O16 - DPF: {6EB21964-9353-4467-94D2-72009261C974} (Socket Class) - http://www.telechat.com/tsock.cab
    O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - https://www.officeally.com/XUpload.ocx
     
  2. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Before we proceed, download, unzip and have convenient the following files:

    1 > coolwebshredder: http://www.computercops.biz/downloads-cat-14.html
    2 > about:buster: http://www.downloads.subratam.org/AboutBuster.zip
    3 > getservice.zip: http://forums.techguy.org/attachment.php?attachmentid=38367
    4 > CWS service remover: http://forums.techguy.org/attachment.php?attachmentid=38507
    5 > Hoster: http://members.aol.com/toadbee/hoster.zip

    >>> For starters, unzip getservice.zip to its own folder and run getservices.bat and upload the text file it creates here as an attachment. Include another HijackThis scanlog in case something has "morphed"

    Also move HijackThis into a permanent folder of its own, preferably in MyDocuments, since we will be deleting temporary folder contents as part of the cleanup.
     
  3. bernard8

    bernard8 Thread Starter

    Joined:
    Oct 11, 2004
    Messages:
    21
    ok, i have downloaded all of these here is the updated hijack log...

    Logfile of HijackThis v1.98.2
    Scan saved at 2:54:34 PM, on 10/11/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\system32\svchost.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\Program Files\Canon Electronics\Scan Panel\drpanel.exe
    C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
    C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\WINDOWS\System32\?ttrib.exe
    c:\progra~1\mcafee.com\vso\mcvsftsn.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\explorer.exe
    C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.fastseeker.com/search.html
    R3 - URLSearchHook: MailTo Class - {FDE3577A-6254-181C-4E11-339E4F746BD3} - C:\WINDOWS\System32\wins32t.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {32DA380B-E268-4EC4-8124-61550C85204D} - C:\WINDOWS\System32\rwekmmf.dll (file missing)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
    O2 - BHO: Tubby - {9EAC0102-5E61-2312-BC2D-76746C56544C} - C:\WINDOWS\System32\vtlbar1.dll
    O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O3 - Toolbar: Search Toolbar - {9EAC0102-5E61-2312-BC2D-76746C56544C} - C:\WINDOWS\System32\vtlbar1.dll
    O4 - HKLM\..\Run: [Scan Panel] "C:\Program Files\Canon Electronics\Scan Panel\drpanel.exe" /Stay
    O4 - HKLM\..\Run: [jUsCULbH] C:\documents and settings\camaro\local settings\temp\jUsCULbH.exe
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [WinService32] C:\Program Files\System32\svchost.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [Rgbvr] C:\WINDOWS\System32\?ttrib.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1093893892078
    O16 - DPF: {6EB21964-9353-4467-94D2-72009261C974} (Socket Class) - http://www.telechat.com/tsock.cab
    O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - https://www.officeally.com/XUpload.ocx

    Let me know what else I can do...thank you so much for the help!!
     
  4. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    I need you to run the "getservices.bat" file and upload the text file it produces as an attachment.

    But follow these directions now anyway:

    [​IMG] Have these instructions printed or in a convenient Notepad (or Wordpad) file so you can view them in Safe Mode. Have "show hidden (or all) files" checked in Folder Options > View in case you have to search for any hidden files to delete. Also ensure you do NOT have "hide file extensions..." enabled in Folder Options > View

    Download and unzip to a convenient location the CoolWebShredder, CWShredder.exe available here: http://www.computercops.biz/downloads-cat-14.html

    Then:

    1 >> Restart in Safe Mode: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

    2 >> In Safe Mode run the CoolWebShredder and have it "fix" detected problems. Then run HijackThis and check and "fix" the following entries:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.fastseeker.com/search.html
    R3 - URLSearchHook: MailTo Class - {FDE3577A-6254-181C-4E11-339E4F746BD3} - C:\WINDOWS\System32\wins32t.dll

    O2 - BHO: (no name) - {32DA380B-E268-4EC4-8124-61550C85204D} - C:\WINDOWS\System32\rwekmmf.dll (file missing)

    O2 - BHO: Tubby - {9EAC0102-5E61-2312-BC2D-76746C56544C} - C:\WINDOWS\System32\vtlbar1.dll

    O3 - Toolbar: Search Toolbar - {9EAC0102-5E61-2312-BC2D-76746C56544C} - C:\WINDOWS\System32\vtlbar1.dll

    O4 - HKLM\..\Run: [jUsCULbH] C:\documents and settings\camaro\local settings\temp\jUsCULbH.exe

    O4 - HKLM\..\Run: [WinService32] C:\Program Files\System32\svchost.exe

    ^^ delete the "system32" folder in C:\program Files. This is NOT c:\windows\system32 >> don't touch that.

    O4 - HKCU\..\Run: [Rgbvr] C:\WINDOWS\System32\?ttrib.exe

    ^^ delete the FILE ?ttrib.exe in c:\windows\system32

    Additional cleanup instructions: Go to the Control Panel > Internet Options applet. Clear the Temporary Internet Cache, History and Offline Content. Go to the Programs tab and select "reset web settings", including your home page if it has been altered. You can reset that later to what you desire.

    Go to Start > Run, enter %temp% and then click Edit > Select All. Right click on the selected files and folders and delete them

    >> reboot and post a new Scanlog. Let me know if you are still having problems.
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/283462