Chaslang Heres my HSRemove log

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by MadCatX, Jul 15, 2004.

  1. MadCatX

    MadCatX Private E-2

    On Windows XP :

    ogfile of HijackThis v1.97.7
    Scan saved at 11:16:02 PM, on 7/15/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\netjv.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\Documents and Settings\Morgan\My Documents\program downloads\Executables\HijackThis.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\mfcwk.exe
    C:\Program Files\Internet Explorer\iexplore.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\kuiti.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://kuiti.dll/index.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://kuiti.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\kuiti.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://kuiti.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\kuiti.dll/sp.html#96676
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {C5D9D5E4-0152-1D18-69AD-98A5DEF30DAA} - C:\WINDOWS\sysfh32.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [mfcwk.exe] C:\WINDOWS\mfcwk.exe
    O4 - HKLM\..\RunOnce: [netjv.exe] C:\WINDOWS\netjv.exe
    O4 - HKLM\..\RunOnce: [crmd.exe] C:\WINDOWS\system32\crmd.exe
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button:
     
    MadCatX, Jul 15, 2004
    #1
  2. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    You have the Home Search Assistant as seen in the R0 and R1 lines. Follow other threads here for instructions or read the sticky topic at the top of this thread.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\kuiti.dll/sp.html#96676
     
    Major Attitude, Jul 16, 2004
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Now follow these steps exactly. Read thru them first. If you cannot do them or do not understand anything, don't do anything until you get clarification from me. You may want to print these or copy them locally to a notepad file because I am going to have you physically disconnect from the internet very soon.

    Before starting make sure you have the current versions of:
    HijackThis (you have an old version): http://www.majorgeeks.com/download3155.html
    HSremove (v2.38 at time of writing): http://www.majorgeeks.com/download4286.html
    a² anti virus: http://www.majorgeeks.com/download4281.html
    (download and install a2 you need to get registration key to use and it will require a reboot before using. Don't reboot yet. We'll do that later when we go into safe mode.)
    Ad-aware: http://www.majorgeeks.com/download506.html
    make sure Ad-aware reference file is updated. At time of writing we are at: 01R332 12.07.2004
    Also first read about how to set Ad-aware for a fullscan: http://www.lavahelp.com/howto/fullscan/index.html

    Print instructions if necessary or save locally.

    - Make sure you can view hidden files and folders: http://www.xtra.co.nz/help/0,,4155-1916458,00.html
    - disable system restore: http://forums.majorgeeks.com/showthread.php?t=31668 (do not reboot when told to)
    - **** VERY IMPORTANT physically disconnect from the internet (unplug cables) ****
    - as long as you have not rebooted since posting the log the files below may still be the same. Bring up Task Manager (CTRL-ALT-DEL) and kill these processes if found:
    netjv.exe
    mfcwk.exe
    crmd.exe

    - run HSremove
    - Boot into safe mode: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam
    - run HijackThis and fix these if found:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\kuiti.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://kuiti.dll/index.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://kuiti.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\kuiti.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://kuiti.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\kuiti.dll/sp.html#96676
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    O2 - BHO: (no name) - {C5D9D5E4-0152-1D18-69AD-98A5DEF30DAA} - C:\WINDOWS\sysfh32.dll
    O4 - HKLM\..\Run: [mfcwk.exe] C:\WINDOWS\mfcwk.exe
    O4 - HKLM\..\RunOnce: [netjv.exe] C:\WINDOWS\netjv.exe
    O4 - HKLM\..\RunOnce: [crmd.exe] C:\WINDOWS\system32\crmd.exe

    - Reset Web Settings by right clicking on your Internet Explorer icon. Then click Properties, Programs, and click the Reset Web Settings button. Then go back to the General tab and set you home page back to something useful like www.majorgeeks.com
    - while in safe mode run Fullscan with Ad-aware
    - boot normal and reconnect to internet

    - Run a² anti virus!
     
    chaslang, Jul 16, 2004
    #3

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds