Hijack log help please?

Hi,

Could someone please help with this log?

Thanks in advance. I have spent most of the day fixing a friends computer that was absolutely full of spyware, malware, etc, etc, etc. It had psguard, trojan.agent.eo and some others.I think have got most of it now. I have used ewido, regrun, dr delete, adaware, and manually deleted reg files as I could see that needed to be eg about:blank.

It is running Nortons av (latest). No updates have been done from the web as I am not sure what personal details they have on their computer and I did not want to risk anything until I am sure it is okay.

I am not sure what to do after running hijack, which ones to delete, ignore, keep etc.

Here it is:

Edit by bjgarrick: Unrequested, Inline HJT log removed!


Thanks!
Gavin.

 

Please follow standard cleanup procedures as given below:

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above and you still have a problem, make sure you have booted to normal mode and run the steps below:



http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

I must have unknowingly done the wrong thing. "Unrequested, Inline HJT log removed!". Thanks for your advice.

 

We have guidelines and annoucements that must be followed before any logs are requested. Please follow Post #2 and then we will go from there.

 

Hi,

Thanks for the advice - I didn't read enough first and feel really stupid...

I have followed all the steps, down to completing RavAntivirus. All the programs are downloaded, installed on c: (not desktop) and updated totally.

I couldn't complete these in safe mode with networking as it would not connect. I also cannot load the VX2 plugin. I downloaded the file from MG (& from Lavasoft), installed it and it will not come up in Adaware/add ons/extensions.

Originally about:blank and HomeSearchAssistent were there but I manually removed them before I knew of these two products. They have been run and it is clean.

As to the "Important Notes Before Continuing Scans", these are all completed.

Regscrub and Regcleaner still don't remove the reg key of klm/software/shudderlt/psguard/psguard/license either manually or automatically. It comes up with an error and cannot remove the key. Backups are all turned off when these are run.

System Restore is off, saved backup reg files have been manually deleted where I can find them. I think this is why bitdefender, ewido etc are missing a file each from hjt.

I then ran hjt through the analyser site you gave and it seems (?) there are no major dramas.

As to NAV, I am licensed to use a 'Home Version' of a Symantec Corporate Edition (single cdrom) that does not allow us to make safety disks - I cannot find a fix on Symantec for this to run NAV from dos prompt.

Every possible program is updated.

Once this is solved I will remove Virtual from their machine and install firefox and t/bird, as I have done on my computer.

What would you like me to look at, try to fix or do now? Is it possible to post the log for analysis?

Thanks for your patience (again) and time in reading this.

Regards,
Gavin.

 

First let me warn you about the Hijack This analyzers, they are NOT 100% accurate and detect legit items as being bad entries.

Go ahead and attach a current HJT log from normal mode.

 

Hi,

Thanks again!

[EDIT] Inline log converted to attachment per the instructions provided in post #2. [/EDIT]


Regards,
Gavin

 

Scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O16 - DPF: {2646205B-878C-11D1-B07C-0000C040BCDB} (NSIEMisc Class) - file://D:\HD\nskey.dll

O23 - Service: ewido security suite control - Unknown owner - C:\Program Files\ewido\security suite\ewidoctrl.exe (file missing)

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Navigate to and DELETE the following if they should remain:

C:\WINDOWS\wweb32.dll

NEXT:
Run CCleaner to clean up cookies and temp files.

Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.
Note: Remember to get all updates before doing the scans.
Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.