Help please- tried everything else so here is logfile

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by t333, Sep 12, 2004.

  1. t333

    t333 Private E-2

    Hi there,
    Newbie to these problems and having a spot of bother solving them.

    Firstly, I was hijacked by something that took my browser to heretofind.com the whole time. That seems to have gone but I now have the Elite Bar for internet explorer, Also seem to get alot of pop-ups, particularly from a site called Capital One. I also have some folders on my hard drive that I cant delete or access. They have somthing called Sp and Sp2 in them. I think they are redirecting my homepage to some site. These folders are called b714c3b3f7fb6eddb633e4c3, 89e8b273ec39c996f and 0bf931eaeaafe74a4261fa99. on second thoughts they might be something to do with service pack2 ??

    When I runBrowser Hijack Blaster a new BHO thing keeps on adding Elitebar to my homepage. It wont delete or go away even if I try and delete with a program I downloaded called MoveonBoot.

    Also the system is running slowly and we pages dont seem to load unless I press refresh.Also Internet explorer freezes and stops responding...

    I have run various things listed below in normal and safe modes:

    1. cc cleaner
    2. Adaware SE v1.04
    3. Spybot - I always get something that says DSO Exploit -( 4 0r 5 entries)
    4. My antivirus - Panda Titanium (v.3.01.00)updated & full scan
    5. Upadated windows xp to service pack 2 (did this first)
    6.CwShredder

    Have disabled system restore as well.

    Anyway, I am confused and running out of ideas - so here is my Hijack this logfile - Any advice or help would be much appreciated.

    Edit by chaslang: changed inline log to an attachment.
     

    Attached Files:

    Last edited by a moderator: Sep 12, 2004
    t333, Sep 12, 2004
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please complete the rest of the recommended steps in this Sticky thread < READ ME FIRST: Basic Spyware, Trojan And Virus Removal >

    And then after reading rules about HijackThis log posting, post a new HijackThis log AS A ,TXT FILE ATTACHMENT. Do not cut off the top line that shows the HJT version number. Make sure you have version 1.98.2. Read this Sticky thread < Hijack This Tutorial And How To Post Your Log File >

    Make sure you shutdown unnecessary applications as required! ALL BROWSER MUST BE CLOSED. You have to much stuff running that should not be when scanning making more work for us.

    Do NOT run Hijack This from the Desktop, a temp folder or choose run from the download (i.e., run from the ZIP file like you did). Place it in its own folder, for example C:\Program Files\HJT Correct this immediately.

    And just to help speed this work up, before post a new log, have HijackThis fix the following:
    R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
    O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
    O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
    O9 - Extra button: Corel Network monitor worker - {C653F33D-B900-4DCB-8945-824589A113EB} - (no file)
    O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {C653F33D-B900-4DCB-8945-824589A113EB} - (no file)
    O9 - Extra button: Corel Network monitor worker - {C653F33D-B900-4DCB-8945-824589A113EB} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {C653F33D-B900-4DCB-8945-824589A113EB} - (no file) (HKCU)
    O9 - Extra button: Homepage - {E5D6905E-CEA6-49BA-90EE-FED7FB334F6B} - http://bt.yahoo.com (file missing) (HKCU)
    O9 - Extra button: BT - {EA386A0C-ABF7-4265-98FF-CF4D4EF7DDCB} - http://www.bt.com (file missing) (HKCU)
     
    Last edited: Sep 12, 2004
    chaslang, Sep 12, 2004
    #2
  3. t333

    t333 Private E-2

    Thanks. I will give it a go tonight and post back with results.
     
    t333, Sep 13, 2004
    #3
  4. t333

    t333 Private E-2

    Ok,

    Have followed your kind advise. Didnt seem to find anything - but dont really know what I am doing...
    Anyway seems a bit better but still lots of the same pop-ups. Is it too early to tell?
    Anyway Fixed items in HJT as you suggested and will attach new logfile.

    Once again, any help would be absolutely great!

    Thanks

    t333
     

    Attached Files:

    t333, Sep 13, 2004
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Make sure you can view hidden file and folders as per the READ ME FIRST thread.

    I think you may also have a peper trojan problem.

    Please run the following:
    http://www.memorywatcher.com/uninst.exe

    if you have problems at the above link try this one: http://tools.zerosrealm.com/uninst.exe

    Run it while online.
    -------------------------
    Then go into Control Panel/Add Remove Programs
    Look for Delphin Media and remove it (if found)
    If there is a Memory Watcher on the list, remove that too.

    Now to uninstall the latest variant of peper aka sandboxer trojan run the below:
    http://tools.zerosrealm.com/PeperFix.exe


    Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406


    Now run HijackThis, select the below line and make sure all browser & email windows are closed and click Fix checked

    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

    Delete the below file:
    C:\WINDOWS\UpdReg.EXE

    Now reboot normal and get a new HijackThis log and post it here as an attachment.
     
    chaslang, Sep 13, 2004
    #5
  6. t333

    t333 Private E-2

    Ok,
    Have carried out all your instructions. PeperFix hopefully fixed 2 things.
    Then fixed file in HjT(safe mode) and then deleted file (safe mode).
    Back in normal boot now and have attached new HJT log file....
    How is it looking?

    Thanks
    t333
     

    Attached Files:

    t333, Sep 13, 2004
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay one more item to fix using HJT:
    O4 - HKLM\..\Run: [Sys29] C:\windows\system32\winaak32.exe

    Then again reboot in safe mode and delete:
    C:\windows\system32\winaak32.exe

    Then let me know how things are working. That should hopefully finish cleaning you up.
     
    chaslang, Sep 13, 2004
    #7
  8. t333

    t333 Private E-2

    ok
    cant find file when i run HJT or in windows directory when I boot in safe...?
    Seems to be running ok - but still have to refresh web pages before I see the.
    I will have another look tomorrow...
    t333
     
    t333, Sep 14, 2004
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The below step was not to be performed in safe mode. It was for normal boot. The file deletion was to be performed in safe mode.

    Okay one more item to fix using HJT:
    O4 - HKLM\..\Run: [Sys29] C:\windows\system32\winaak32.exe

    If you get a HJT this log now from normal boot mode, does the above line still appear?
    If so fix it, then reboot and delete the file using Windows Explorer. You MUST have viewing of hidden files and folders enabled inorder to find it. Did you do this?
     
    chaslang, Sep 14, 2004
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds