HIJACK THIS log - please help

Hello, if anyone is up for what might be a challenge, attached are my HIJACK THIS logfile and the other scan logs from "Read and Run Me First". Both Spybot and Adaware found Smitfraud on multiple occasions but even after I clicked "fix" or "remove" it reoccurred when I rebooted my computer. I first realized that I had a problem when IE kept opening random sites when I wasn't even near my computer. When I googled the sites, to see if there was any information about them, or a similar problem, nothing came up.

So being stuck, I would really appreciate some help.
Thanks,
Destinationchaos

 

Here is the next sequence of logs.

 

Where to start, where to start...let's try and make a dent here...

Please see the below thread on how to install and run Ewido Anti-Malware.

• Running Ewido Anti-Malware...

Once you complete the scan above, I would like a fresh Panda log and a fresh HJT log with the log from Ewido. This should knock out the majority of your infections. I will be awaiting the results.

 

Thank you so much for your quick response! I will try this when I get home again in a few hours and repost the results. One more thing.... another sign of infection that I keep getting is when I reboot, a program called "windowhider" pops up for 1-2 seconds before disappearing completely. I have not knowingly installed anything like this. When I use TaskMngr to close it, it is identified as "svchost.exe".

 

One thing to remember is you have a lot of infections and the longer you wait the more they could mutate and cause more problems so the sooner the better.

 

Ok, I finally got the scans done! Here they are...
Thanks again. Also, I noticed that the mysterious window has continued to appear, but IE stopped opening the random sites.

 

Before starting this fix uninstall Ewido and disable Spybot's TeaTimer as they can both cause problems with the instructions below.


Download Pocket KillBox

• Save it to your desktop or a place easy to find.
• Do not run it yet

Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

O4 - HKLM\..\Run: [ticker.addItem('<span style=\"font-family:\'Verdana, Arial\'; font-size:23pt; font-weight:900\"><br>More than 700.000<br>Domains registered!<br></span] c:\WINDOWS\System32\ticker.addItem('<span style=\"font-family:\'Verdana, Arial\'; font-size:23pt; font-weight:900\"><br>More than 700.000<br>Domains registered!<br></span>');
O4 - HKLM\..\Run: [ticker.addItem('<span style=\"font-family:\'Verdana, Arial\'; font-size:23pt; font-weight:900\"><br><br>Nameservice for free<br></span] c:\WINDOWS\System32\ticker.addItem('<span style=\"font-family:\'Verdana, Arial\'; font-size:23pt; font-weight:900\"><br><br>Nameservice for free<br></span>');
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [only23] C:\WINDOWS\SCVHOST.exe
O4 - HKLM\..\Run: [MSConfigs] c:\autoback\svchost.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [ticker.addItem('<span style=\"font-family] \'Verdana, Arial\'; font-size:23pt; font-weight:900\"><br><br>Nameservice for free<br></span:c:\WINDOWS\System32\ticker.addItem('<span style=\"font-family:\'Verdana, Arial\'; font-size:23pt; font-weight:900\"><br><br>Nameservice for free<br></span>');
O4 - HKCU\..\Run: [ticker.addItem('<span style=\"font-family:\'Verdana, Arial\'; font-size:23pt; font-weight:900\"><br>More than 700.000<br>Domains registered!<br></span] c:\WINDOWS\System32\ticker.addItem('<span style=\"font-family:\'Verdana, Arial\'; font-size:23pt; font-weight:900\"><br>More than 700.000<br>Domains registered!<br></span>');
O4 - HKCU\..\Run: [ticker.addItem('<span style=\"font-family:\'Verdana, Arial\'; font-size:23pt; font-weight:900\"><br><br>Nameservice for free<br></span] c:\WINDOWS\System32\ticker.addItem('<span style=\"font-family:\'Verdana, Arial\'; font-size:23pt; font-weight:900\"><br><br>Nameservice for free<br></span>');
O4 - HKCU\..\Run: [rkfr] C:\PROGRA~1\COMMON~1\rkfr\rkfrm.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)

O15 - Trusted Zone: www.hotmail.com

O20 - AppInit_DLLs:

O23 - Service: Active HelpAssistant - Unknown owner - C:\WINDOWS\IIS\iisset (file missing)

O23 - Service: OESH (Office Source Engine Help) - Unknown owner - C:\Program.exe (file missing)

Again, make sure ALL browser windows are closed when you click FIX.

• Now Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to OESH (Office Source Engine Help)
• Then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/pasteOESH into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Now, Please boot into Safe Mode, be sure you have the Viewing of Hidden Files & Folders Enabled per the tutorial. Now, navigate to and DELETE the following if they should remain:

C:\Program Files\Common files\rkfr ← Delete this whole folder if it exist!

C:\Program Files\Common files\updmgr ← Delete this whole folder if it exist!

Next, run CCleaner to clean up cookies and temp files.

Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Next, you will be entering items into Pocket KillBox. Please select the “Delete on Reboot” Option. Copy&Paste each of the file names listed below into the box one by one, making sure Delete on Reboot is Checked for each entry. Click the Red X for each entry, but DO NOT Allow your machine to be rebooted until the last item has been entered:

** Note: For any of the .dll files, check the Unregister .dll Before Deleting box as well. If this option is not enabled, don't worry about it.

• If you get an error message about Pending Operations, just reboot your computer manually.

After you complete the above, REBOOT and proceed with the rest of this fix...

Next Reset Web Settings & Default Security Settings

To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK

To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.

Note for IE 7 users:
Select Internet Options, then the Advanced Tab and then the Reset button under Reset Internet Explorer Settings.

Finally, I would like you to flush your System Restore points. Please follow the instructions in the below:

• Disable and Re-enable System Restore
  
  
• Turn OFF System Restore to flush any bad Restore Points.
  
  
• Then, follow the instructions at the bottom of the linked page to Re-enable the Restore Utility which will create a fresh restore point.

After you complete the above reboot once more and then scan with HijackThis and attach the new log.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

Ok. Followed all of the instructions...
I wasn't clear on whether to reboot in safe or normal mode after using Kill Box, so I went ahead and chose normal mode. I hope that was the right decision. I have attached the new HJT log file as requested. My computer did not open the "mysterious" application when I rebooted, and, as before, IE is not opening random sites. I saved your instructions in word so that I could open them in safe mode. However, when I rebooted just now before running HJT, I got an error message when I opened word, although the document opened fine.
In case it matters, here is the error message:
"Micorsoft Visual C++ Runtime Library
Runtime Error!
Program: C:\Programfiles\MicrosoftOffice\Office10\winword.exe
abnormal program termination"

Thanks again for all of your help; I am VERY impressed!

 

Please look in Add/Remove Programs and uninstall anything Viewpoint related.

Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

O4 - HKLM\..\Run: [only23] C:\WINDOWS\SCVHOST.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O23 - Service: Active HelpAssistant - Unknown owner - C:\WINDOWS\IIS\iisset (file missing)
O23 - Service: Indexing Helps (Indexingbox) - Unknown owner - %WINDIR%\system\svchest.exe (file missing)

Again, make sure ALL browser windows are closed when you click FIX.

• Now Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to Active HelpAssistant
• On the page that opens, scroll down to Indexing Helps (Indexingbox)
• Then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/pasteIndexingbox into the box that opens, and press OK
• Copy/pasteActive HelpAssistant into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Now, Copy and Paste C:\WINDOWS\scvhost.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\IIS\iisset into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system\svchest.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

• If you get an error message about Pending Operations, just reboot your computer manually.

Next, run CCleaner to clean up cookies and temp files.

Once you complete this post reboot once more and attach a fresh HJT log. Also let me know how things are running.

 

All done. The computer appears to be running quieter and no strange processes are going on, but it seems maybe just a bit slower than usual. But I can tell a big difference from just a day ago.

 

Your log is now clean, you must now update your OS.

Download the following package, please note its 266 MB and may take about 15 minutes on Cable/DSL.

Windows XP Service Pack 2

After download is complete, double click to install.

You should also see this article on How to Protect yourself from malware!

 

thanks so much for all of your help! my computer and I appreciate it

 

Your Welcome!

Surf Safely!