HiJackThis File- need help

Discussion in 'Malware Help (A Specialist Will Reply)' started by joker23, Jul 8, 2005.

  1. joker23

    joker23 Private E-2

    my homepage is stuck on allstarsearch and i cant get rid of it and more importantly my task manager is disabled. please help thanks
     

    Attached Files:

    joker23, Jul 8, 2005
    #1
  2. PhilliePhan

    PhilliePhan Guest

    WOW! You have collected a serious bunch of malware. Let's have a stab at it, shall we?

    FIRST:
    Please download the following tools and have them handy (Perhaps create an Anti-Spyware Folder for them). Make sure to get them from the links below:

    L2MeFix Tool
    Generic Detection Tool - NT/2000/XP
    VX2.BetterInternet Finder XP/2k - Version Msg126
    Pocket KillBox


    NEXT:
    Please run the uninstaller here:http://www.mypctuneup.com/


    Please print out or save these instructions locally so that you can Disconnect from the Internet and operate with All Browser Windows CLOSED.
    Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled.

    Look in Add/Remove Programs for the following and Uninstall them if found:

    Viewpoint
    AutoUpdate
    Apropos Media
    Aprps
    BearShare
    AUN
    AlwaysUpdatedNews
    rdso
    WeirdOnTheWeb
    SurfSideKick 3
    Virtual Bouncer
    + note other suspicious entries

    Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and try to end them, if found.

    wintask.exe
    ViewMgr.exe
    exp.exe
    AutoUpdate.exe
    lsa500.exe
    eetu.exe
    loat500.exe
    CxtPls.exe
    „ƒsrss.exe


    Now scan with HijackThis and Check the Boxes for the following, if they remain:

    R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)

    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

    O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll (file missing)
    O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\Aprps\cxtpls.dll
    O2 - BHO: (no name) - {0D9451AB-EC13-E49B-60F7-C52E37099BEB} - C:\WINDOWS\System32\gikzhyj.dll (file missing)
    O2 - BHO: VBRunDLL Class - {197B8CA4-E215-46DD-8F33-E0544A80E5C4} - C:\WINDOWS\System32\vbrundll.dll (file missing)
    O2 - BHO: (no name) - {509401AF-E417-E1C1-3DF7-C52E37099BBD} - C:\WINDOWS\System32\vnx.dll
    O2 - BHO: (no name) - {50C554AD-E714-BA96-32F7-C52E37099ABE} - C:\WINDOWS\System32\quufngx.dll

    O4 - HKLM\..\Run: [PS1] C:\WINDOWS\System32\ps1.exe
    O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
    O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [ozai] C:\WINDOWS\System32\ozai.exe
    O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
    O4 - HKLM\..\Run: [regsync] C:\WINDOWS\System32\regsync.exe
    O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
    O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\System32\vidctrl\vidctrl.exe
    O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
    O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
    O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
    O4 - HKLM\..\Run: [exp] C:\WINDOWS\System32\exp
    O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
    O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe"
    O4 - HKLM\..\Run: [hi0lautq] C:\WINDOWS\System32\hi0lautq.exe
    O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vzvavz.exe reg_run
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [qsrf37O] lsa500.exe
    O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
    O4 - HKCU\..\Run: [Aida] C:\Program Files\rdso\eetu.exe
    O4 - HKCU\..\Run: [Phau] C:\WINDOWS\System32\??srss.exe
    O4 - HKCU\..\Run: [bB0pRXi6W] loat500.exe

    O13 - DefaultPrefix: http://allstarsearch.net/gall.php?url=
    O13 - WWW Prefix: http://allstarsearch.net/gall.php?url=
    O13 - Home Prefix: http://allstarsearch.net/gall.php?url=
    O13 - Mosaic Prefix: http://allstarsearch.net/gall.php?url=

    O15 - Trusted Zone: *.media-motor.net
    O15 - Trusted Zone: http://www.neededware.com
    O15 - Trusted Zone: *.skoobidoo.com
    O15 - Trusted Zone: *.slotchbar.com
    O15 - Trusted Zone: *.windupdates.com
    O15 - Trusted Zone: *.skoobidoo.com (HKLM)
    O15 - Trusted Zone: *.slotchbar.com (HKLM)
    O15 - Trusted Zone: *.windupdates.com (HKLM)
    O15 - Trusted IP range: 67.19.178.84

    O16 - DPF: NDWCab - http://www.neededware.com/ndw3.cab
    O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab

    O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\kedhela2.dll

    O21 - SSODL: BearShare - {46D61B98-21E6-0CDD-6E17-3772FDD02FAF} - c:\progra~1\bearsh~1\wdxekpq1.dll

    O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

    Again, make sure All Browser Windows are Closed when you Click FIX.


    NOW:
    Please open Pocket KillBox.

    Next, you will be entering items into Pocket KillBox. Please select the “Delete on Reboot” Option. Enter or Copy&Paste each of the following into the box one by one, making sure Delete on Reboot is Checked for each entry. Click the Red X for each entry, but DO NOT Allow your machine to be Rebooted until the last item has been entered:
    ** Note:     For the .dlls, check the Unregister .dll Before Deleting box as well.
    Some of these files/folders should be gone already.

    C:\WINDOWS\Nail.exe
    C:\WINDOWS\cfgmgr52.dll
    C:\Program Files\Aprps
    C:\WINDOWS\System32\gikzhyj.dll
    C:\WINDOWS\System32\vbrundll.dll C:\WINDOWS\System32\vnx.dll
    C:\WINDOWS\System32\quufngx.dll
    C:\WINDOWS\System32\ps1.exe
    C:\WINDOWS\System32\wintask.exe
    C:\PROGRA~1\VBouncer
    C:\Program Files\Viewpoint
    C:\WINDOWS\System32\ozai.exe
    C:\WINDOWS\System32\PSof1.exe
    C:\WINDOWS\System32\regsync.exe
    C:\WINDOWS\System32\nsvsvc
    C:\WINDOWS\System32\vidctrl
    C:\WINDOWS\cfgmgr52.dll
    C:\WINDOWS\System32\exp.exe
    C:\WINDOWS\VCMnet11.exe
    C:\WINDOWS\System32\exp
    C:\Program Files\WeirdOnTheWeb
    C:\WINDOWS\System32\hi0lautq.exe
    C:\WINDOWS\System32\vzvavz.exe
    C:\Program Files\AutoUpdate
    C:\WINDOWS\System32\lsa500.exe
    C:\WINDOWS\System32\loat500.exe
    C:\Program Files\Aprps\CxtPls.exe
    C:\WINDOWS\system32\„ƒsrss.exe
    C:\Program Files\SurfSideKick 3
    C:\Program Files\rdso
    C:\WINDOWS\System32\??srss.exe
    C:\WINDOWS\system32\kedhela2.dll
    c:\progra~1\bearsh~1\wdxekpq1.dll
    C:\WINDOWS\svcproc.exe

    When the last item has been entered and you are prompted to reboot, ALLOW Pocket KillBox to Reboot your computer. If Killbox fails to Reboot your machine, do it manually.


    NEXT:
    Run CCleaner and Spybot S&D (from the READ ME FIRST Sticky Post ) and have Spybot fix what it finds.


    NEXT:
    Please move the L2MeFix Tool to your Desktop and DoubleClick l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix Folder on your Desktop. DoubleClick l2mfix.bat and Type 1 and ENTER to select Option #1 for Run Find Log . Allow it as much time as it needs to run until NotePad opens with a log.

    NOTE:Please do not run any other options or files in the l2mfix Folder!

    Please attach the l2mfix Find log along with a fresh HijackThis log when you post back and we’ll see where you stand.
    Let me know of any problems you may have encountered with the above instructions and how your computer is running now.
    I will try to check back as time permits.

    Best luck :)
    PP
     
    Last edited by a moderator: Jul 9, 2005
    PhilliePhan, Jul 9, 2005
    #2
  3. joker23

    joker23 Private E-2

    thanks but I have encountered a few problems.
    1. the pc uninstaller doesent work even when all progreams are closed.
    2. My Task Manager is disabled and will not work
    3. when trying the delete dll files,i cant check the box for unregister .dll before deleting

    i did delete the programs using hijack this and hopefully it will fix so many proplems for me. thanks
     
    joker23, Jul 9, 2005
    #3
  4. joker23

    joker23 Private E-2

    i got my task manager back and wvwn if i cant fix everything i am happy thanks. :D
     
    joker23, Jul 9, 2005
    #4
  5. PhilliePhan

    PhilliePhan Guest

    Good deal, but go ahead and send me a fresh HJT log. There are likely more items to remove.

    As far as the .dlls go, they are probably already gone - I included them in the delete list just in case they remained.

    It will likely take another pass through a fresh log to get everything.

    PP :)
     
    PhilliePhan, Jul 9, 2005
    #5
  6. joker23

    joker23 Private E-2

    heres my new log:
     

    Attached Files:

    joker23, Jul 16, 2005
    #6
  7. PhilliePhan

    PhilliePhan Guest

    You still have a serious boatload o' crap on your machine! Let's take another pass through it - The instructions are similar to last time . . . . .

    Please print out or save these instructions locally so that you can Disconnect from the Internet and operate with All Browser Windows CLOSED.
    Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled.

    Look in Add/Remove Programs for the following and Uninstall them if found:

    NaviSearch
    BullsEye Network
    BearShare
    AUN
    AlwaysUpdatedNews
    rdso
    CAS
    Casino Client
    SurfSideKick 3
    + note other suspicious entries

    Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and try to end them, if found.

    nls.exe
    cashback.exe
    eetu.exe
    dƒËdplay.exe
    bargains.exe
    BearShare.exe


    Now scan with HijackThis and Check the Boxes for the following, if they remain:

    R3 - Default URLSearchHook is missing

    O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
    O2 - BHO: (no name) - {78BABE80-5066-0BB3-1100-2F801D04B5B8} - C:\WINDOWS\System32\zhlwyzvj.dll
    O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} - C:\WINDOWS\system32\zgq9dk.dll
    O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
    O2 - BHO: (no name) - {B6FBB9CF-007B-53FC-52F2-25D0582027E4} - C:\WINDOWS\System32\cvvhpb.dll
    O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
    O2 - BHO: (no name) - {F3798A0E-6FEE-3937-C35E-4FA68FDD38B3} - C:\WINDOWS\System32\yugkm.dll
    O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll

    O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
    O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
    O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
    O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
    O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
    O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
    O4 - HKCU\..\Run: [bB0pRXi6W] dmdec6.exe
    O4 - HKCU\..\Run: [Aida] C:\Program Files\rdso\eetu.exe
    O4 - HKCU\..\Run: [Npefsqh] C:\WINDOWS\System32\d?Edplay.exe

    O15 - Trusted Zone: *.blazefind.com
    O15 - Trusted Zone: *.clickspring.net
    O15 - Trusted Zone: *.flingstone.com
    O15 - Trusted Zone: *.media-motor.net
    O15 - Trusted Zone: *.mt-download.com
    O15 - Trusted Zone: *.my-internet.info
    O15 - Trusted Zone: http://www.neededware.com
    O15 - Trusted Zone: *.popuppers.com
    O15 - Trusted Zone: *.searchbarcash.com
    O15 - Trusted Zone: *.searchmiracle.com
    O15 - Trusted Zone: *.skoobidoo.com
    O15 - Trusted Zone: *.slotch.com
    O15 - Trusted Zone: *.slotchbar.com
    O15 - Trusted Zone: *.windupdates.com
    O15 - Trusted Zone: *.xxxtoolbar.com
    O15 - Trusted Zone: *.ysbweb.com
    O15 - Trusted IP range: 67.19.178.84

    O20 - Winlogon Notify: Applets - C:\WINDOWS\system32\dunetlib.dll
    O20 - Winlogon Notify: Telephony - C:\WINDOWS\system32\wbnstrm.dll
    O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\system32\avctres.dll

    O21 - SSODL: BearShare - {46D61B98-21E6-0CDD-6E17-3772FDD02FAF} - c:\progra~1\bearsh~1\wdxekpq1.dll

    O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

    Again, make sure All Browser Windows are Closed when you Click FIX.


    NOW:
    Please open Pocket KillBox.

    Next, you will be entering items into Pocket KillBox. Please select the “Delete on Reboot” Option. Enter or Copy&Paste each of the following into the box one by one, making sure Delete on Reboot is Checked for each entry. Click the Red X for each entry, but DO NOT Allow your machine to be Rebooted until the last item has been entered:
    ** Note:     For the .dlls, check the Unregister .dll Before Deleting box as well. If this option is not enabled, don't worry about it.
    Some of these files/folders should be gone already.

    C:\Program Files\E2G
    C:\WINDOWS\System32\zhlwyzvj.dll
    C:\WINDOWS\system32\zgq9dk.dll
    C:\WINDOWS\System32\nvms.dll
    C:\WINDOWS\System32\cvvhpb.dll
    C:\WINDOWS\System32\mscb.dll
    C:\WINDOWS\System32\yugkm.dll
    C:\WINDOWS\System32\msbe.dll
    C:\Program Files\BullsEye Network
    C:\Program Files\NaviSearch
    C:\Program Files\CashBack
    C:\Program Files\SurfSideKick 3
    C:\Program Files\Cas
    C:\Program Files\rdso\eetu.exe
    C:\WINDOWS\System32\d?Edplay.exe
    C:\WINDOWS\system32\dunetlib.dll
    C:\WINDOWS\system32\wbnstrm.dll
    C:\WINDOWS\system32\avctres.dll

    When the last item has been entered and you are prompted to reboot, ALLOW Pocket KillBox to Reboot your computer. If Killbox fails to Reboot your machine, do it manually.


    NEXT:
    Run CCleaner and Spybot S&D (from the READ ME FIRST Sticky Post ) and have Spybot fix what it finds.


    NEXT:
    Please move the L2MeFix Tool to your Desktop and DoubleClick l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix Folder on your Desktop. DoubleClick l2mfix.bat and Type 1 and ENTER to select Option #1 for Run Find Log . Allow it as much time as it needs to run until NotePad opens with a log.

    NOTE:Please do not run any other options or files in the l2mfix Folder!

    Please attach the l2mfix Find log along with a fresh HijackThis log when you post back and we’ll see where you stand.
    Let me know of any problems you may have encountered with the above instructions and how your computer is running now.
    I will try to check back as time permits.

    Best luck :)
    PP
     
    PhilliePhan, Jul 17, 2005
    #7
  8. joker23

    joker23 Private E-2

    i have bigger problems now than spyware. somehow i think i deleted rundll32 and internet Explorer refuses to work. Firfox saved my ass. here is my new log.
     

    Attached Files:

    joker23, Jul 21, 2005
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    How did you delete rundll32.exe? Use windows search and look for another copy on your PC to restore from. You may have one in an i386 folder.

    You still have some problems in your HJT log.

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).
    Did you use Add/Remove programs to uninstall Bearshare?

    Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
    C:\WINDOWS\System32\conime.exe

    After killing all the above processes, click "Back".
    Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O2 - BHO: (no name) - {FA2EDD58-6AEF-6930-C55E-4FA68FDD62B6} - C:\WINDOWS\System32\hmfmfwv.dll (file missing)
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
    O21 - SSODL: BearShare - {46D61B98-21E6-0CDD-6E17-3772FDD02FAF} - c:\progra~1\bearsh~1\wdxekpq1.dll

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\System32\conime.exe
    c:\Program Files\bearshare <--- the whole folder

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Jul 25, 2005
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds