Help With "Only The Best" Log File Included

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by swingset, Jun 18, 2004.

  1. swingset

    swingset Private E-2

    Ok guys, I guess I need a little help with this problem. I already ran a virus scan that came up with nothing. I ran AdAware and I also ran CWShredder. Here is my log file. Hopefully someone out there can help me out.

    Logfile of HijackThis v1.97.7
    Scan saved at 8:33:11 PM, on 6/18/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\WINDOWS\System32\gearsec.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\Program Files\Norton Utilities\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Speed Disk\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\crtd32.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\WINDOWS\GWMDMMSG.exe
    C:\WINDOWS\mHotkey.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\mfcdf.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\BestBuy\HelpExpress\Barrett McConnell\HXIUL.EXE
    C:\Program Files\BestBuy\HelpExpress\Barrett McConnell\Client\HelpExp.exe
    C:\WINDOWS\wt\updater\wcmdmgr.exe
    C:\Documents and Settings\Barrett McConnell\Desktop\Barrett's Stuff\Apps\HijackThis.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rmnoo.dll/sp.html#37049
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://rmnoo.dll/index.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://rmnoo.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rmnoo.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://rmnoo.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\rmnoo.dll/sp.html#37049
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {263D8EC6-3994-13AE-F18C-F072FE879294} - C:\WINDOWS\system32\ntdw32.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
    O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [mfcdf.exe] C:\WINDOWS\mfcdf.exe
    O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
    O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\BestBuy\HelpExpress\Barrett McConnell\HXIUL.EXE
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\BestBuy\HelpExpress\Barrett McConnell\Client\HelpExp.exe
    O4 - HKLM\..\RunOnce: [crtd32.exe] C:\WINDOWS\crtd32.exe
    O4 - HKLM\..\RunOnce: [javaia32.exe] C:\WINDOWS\javaia32.exe
    O4 - HKLM\..\RunOnce: [ipef32.exe] C:\WINDOWS\ipef32.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: AIM (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
    O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
     
    swingset, Jun 18, 2004
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Jun 19, 2004
    #2
  3. swingset

    swingset Private E-2

    nope, i dont see that file. but i do see a file called C:\WINDOWS\system32\ntdw32.dll
     
    swingset, Jun 23, 2004
    #3
  4. mag00

    mag00 Sergeant



    These look to be stuff you don't want.
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rmnoo.dll/sp.html#37049
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://rmnoo.dll/index.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://rmnoo.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rmnoo.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://rmnoo.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\rmnoo.dll/sp.html#37049O2 -

    This one seems to be for a shopping helper from the UK, dont know if you need it.
    BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

    next one seems to be spyware
    O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\BestBuy\HelpExpress\Barrett McConnell\HXIUL.EXE


    Now I am not to good with clearing XP problems, but best bet is to disconnect from the internet and turn off system restore (so I hear).

    I assume your start page has been hijacked and is no longer MSN. Anyway there are a bunch of threads with fixes for some similar problems (hijacking), that will better outline a step by step than I can offer.

    Wish I could be more help.
     
    mag00, Jun 23, 2004
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Mag, Your fix will not work. This "Only the Best" problem will mutate and create more and more DLL's and bad EXE files if you take the simple approach of just having HijaakThis fix the apparently bad R0 and R1 lines. Quite a bit more work is required than that. You should look at some of the other links where we have been able to fix this problem.

    Also, the BHO line with AcroIEHelper.dll is part of an Internet Explorer add-on for Acrobat Reader. It has nothing to do with a shopping helper.

    You are correct about the line with HXIUL.EXE. It is adware. Here is some info on it from http://www.answersthatwork.com/Tasklist_pages/tasklist_h.htm
    [font=Verdana, Arial]Alset's HelpExpress. Useless background adware which tells you when you need to buy printer cartridges, and where to buy them, and all sorts of other things like this.

    Recommendation :
    Firstly Alset are the same crowd as Aveo who produce the similarly useless Aveo Attune. Secondly, at the time of writing of this entry (March 2002), Alset and Aveo seem to have gone out of business. Thirdly, as with Aveo Attune, some users have experienced conflicts with other software. De-install HelpExpress immediately via the "Add/Remove Programs" icon in the Control Panel.    [/font]
     
    chaslang, Jun 23, 2004
    #5

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds