need help with hijack this log

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by 70'cuda, Jul 15, 2004.

  1. 70'cuda

    70'cuda Private E-2

    like everyone else i'm trying to remove spyware/adware

    i've ran adaware, spybot search and destroy, bitdefenders, trendmicro housecall, still am getting popups-say "Only the Best"

    here is my Hijack this save log--any help will be greatly appreciated

    Logfile of HijackThis v1.98.0
    Scan saved at 11:44:33 AM, on 7/15/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\Program Files\Common files\WinTools\WToolsS.exe
    C:\WINDOWS\system32\appac32.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Common files\WinTools\WToolsA.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\DOCUME~1\DEANNV~1.DEA\LOCALS~1\Temp\32cx423.exe
    C:\WINDOWS\added.exe
    C:\documents and settings\daniel vostad.deann-7hslfns56\local settings\temp\aPR.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\wmnhutdn.exe
    C:\Program Files\Common Files\WinTools\WSup.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Documents and Settings\Daniel Vostad.DEANN-7HSLFNS56\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://search-internet.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search-internet.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50019
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\imfdu.dll/sp.html#37049
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://imfdu.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://imfdu.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\imfdu.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50019
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\imfdu.dll/sp.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://imfdu.dll/index.html#37049
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://search-internet.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search-internet.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://search-internet.net
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50019
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search-internet.net
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
    O2 - BHO: (no name) - {E5A932D6-23F4-5016-9ABB-AC2CAF1A53A0} - C:\WINDOWS\wincc.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [Services] C:\DOCUME~1\DEANNV~1.DEA\LOCALS~1\Temp\32cx423.exe
    O4 - HKLM\..\Run: [AdobeFonts] C:\WINDOWS\Fonts\fonts.hta
    O4 - HKLM\..\Run: [added.exe] C:\WINDOWS\added.exe
    O4 - HKLM\..\Run: [aPR] C:\documents and settings\daniel vostad.deann-7hslfns56\local settings\temp\aPR.exe
    O4 - HKLM\..\Run: [AutoLoaderqF561YXQXKaX] "C:\WINDOWS\System32\dospex.exe" /PC="AM.WILD" /HideUninstall
    O4 - HKLM\..\Run: [qsmg3si] dospex.exe
    O4 - HKLM\..\RunOnce: [ipjr.exe] C:\WINDOWS\system32\ipjr.exe
    O4 - HKLM\..\RunOnce: [javavo.exe] C:\WINDOWS\javavo.exe
    O4 - HKLM\..\RunOnce: [appac32.exe] C:\WINDOWS\system32\appac32.exe
    O4 - HKLM\..\RunOnce: [ipqy.exe] C:\WINDOWS\system32\ipqy.exe
    O4 - HKLM\..\RunOnce: [mfcbu.exe] C:\WINDOWS\system32\mfcbu.exe
    O4 - HKLM\..\RunOnce: [ntgw.exe] C:\WINDOWS\ntgw.exe
    O4 - HKLM\..\RunOnce: [msmh.exe] C:\WINDOWS\system32\msmh.exe
    O4 - HKLM\..\RunOnce: [adddy32.exe] C:\WINDOWS\system32\adddy32.exe
    O4 - HKLM\..\RunOnce: [d3rp.exe] C:\WINDOWS\d3rp.exe
    O4 - HKLM\..\RunOnce: [addlp32.exe] C:\WINDOWS\system32\addlp32.exe
    O4 - HKLM\..\RunOnce: [netuj32.exe] C:\WINDOWS\system32\netuj32.exe
    O4 - HKLM\..\RunOnce: [mfczv.exe] C:\WINDOWS\system32\mfczv.exe
    O4 - HKLM\..\RunOnce: [ieeo32.exe] C:\WINDOWS\system32\ieeo32.exe
    O4 - HKLM\..\RunOnce: [appur.exe] C:\WINDOWS\appur.exe
    O4 - HKLM\..\RunOnce: [apilh32.exe] C:\WINDOWS\system32\apilh32.exe
    O4 - HKLM\..\RunOnce: [sdkdx32.exe] C:\WINDOWS\sdkdx32.exe
    O4 - HKLM\..\RunOnce: [nettf32.exe] C:\WINDOWS\nettf32.exe
    O4 - HKLM\..\RunOnce: [sysgk32.exe] C:\WINDOWS\system32\sysgk32.exe
    O4 - HKLM\..\RunOnce: [javabd.exe] C:\WINDOWS\javabd.exe
    O4 - HKLM\..\RunOnce: [winpj.exe] C:\WINDOWS\system32\winpj.exe
    O4 - HKLM\..\RunOnce: [addcr.exe] C:\WINDOWS\system32\addcr.exe
    O4 - HKLM\..\RunOnce: [ieam32.exe] C:\WINDOWS\ieam32.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [bB5mRiG8g] wmnhutdn.exe
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
    O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {13112111-1224-1141-1451-111111113533} - file://c:\windows\system32\kb3jd94kz.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/23f64d47bffdf548e120/netzip/RdxIE601.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
     
    70'cuda, Jul 15, 2004
    #1
  2. 70'cuda

    70'cuda Private E-2

    also, i have already disabled system restore and Network Security Service
     
    70'cuda, Jul 15, 2004
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay so then try this!

    Now follow these steps exactly. Read thru them first. If you cannot do them or do not understand anything, don't do anything until you get clarification from me. You may want to print these or copy them locally to a notepad file because I am going to have you physically disconnect from the internet very soon.

    Before starting make sure you have the current versions of:
    HijackThis (you have an old version): http://www.majorgeeks.com/download3155.html
    HSremove (v2.37 at time of writing): http://www.majorgeeks.com/download4286.html
    a² anti virus: http://www.majorgeeks.com/download4281.html
    Ad-aware: http://www.majorgeeks.com/download506.html
    make sure Ad-aware reference file is: 01R332 12.07.2004
    Also first read about how to set Ad-aware for a fullscan: http://www.lavahelp.com/howto/fullscan/index.html

    Print instructions if necessary or save locally.

    - Make sure you can view hidden files and folders: http://www.xtra.co.nz/help/0,,4155-1916458,00.html
    - disable system restore: http://forums.majorgeeks.com/showthread.php?t=31668 (do not reboot when told to)
    - **** VERY IMPORTANT physically disconnect from the internet (unplug cables) ****
    - as long as you have not rebooted since posting the log bring up Task Manager (CTRL-ALT-DEL) and kill these two processes
    C:\WINDOWS\system32\appac32.exe
    C:\WINDOWS\added.exe
    also look at the O4 lines below from HijackThis. If you see any of those running, kill them too.

    - run HSremove
    - Boot into safe mode: http://service1.symantec.com/SUPPOR...src=sec_doc_nam
    - run HijackThis and fix these if found:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://search-internet.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search-internet.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50019
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\imfdu.dll/sp.html#37049
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://imfdu.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://imfdu.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\imfdu.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50019
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\imfdu.dll/sp.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://imfdu.dll/index.html#37049
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://search-internet.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search-internet.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://search-internet.net
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50019
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search-internet.net
    O2 - BHO: (no name) - {E5A932D6-23F4-5016-9ABB-AC2CAF1A53A0} - C:\WINDOWS\wincc.dll
    O4 - HKLM\..\RunOnce: [ipjr.exe] C:\WINDOWS\system32\ipjr.exe
    O4 - HKLM\..\RunOnce: [javavo.exe] C:\WINDOWS\javavo.exe
    O4 - HKLM\..\RunOnce: [appac32.exe] C:\WINDOWS\system32\appac32.exe
    O4 - HKLM\..\RunOnce: [ipqy.exe] C:\WINDOWS\system32\ipqy.exe
    O4 - HKLM\..\RunOnce: [mfcbu.exe] C:\WINDOWS\system32\mfcbu.exe
    O4 - HKLM\..\RunOnce: [ntgw.exe] C:\WINDOWS\ntgw.exe
    O4 - HKLM\..\RunOnce: [msmh.exe] C:\WINDOWS\system32\msmh.exe
    O4 - HKLM\..\RunOnce: [adddy32.exe] C:\WINDOWS\system32\adddy32.exe
    O4 - HKLM\..\RunOnce: [d3rp.exe] C:\WINDOWS\d3rp.exe
    O4 - HKLM\..\RunOnce: [addlp32.exe] C:\WINDOWS\system32\addlp32.exe
    O4 - HKLM\..\RunOnce: [netuj32.exe] C:\WINDOWS\system32\netuj32.exe
    O4 - HKLM\..\RunOnce: [mfczv.exe] C:\WINDOWS\system32\mfczv.exe
    O4 - HKLM\..\RunOnce: [ieeo32.exe] C:\WINDOWS\system32\ieeo32.exe
    O4 - HKLM\..\RunOnce: [appur.exe] C:\WINDOWS\appur.exe
    O4 - HKLM\..\RunOnce: [apilh32.exe] C:\WINDOWS\system32\apilh32.exe
    O4 - HKLM\..\RunOnce: [sdkdx32.exe] C:\WINDOWS\sdkdx32.exe
    O4 - HKLM\..\RunOnce: [nettf32.exe] C:\WINDOWS\nettf32.exe
    O4 - HKLM\..\RunOnce: [sysgk32.exe] C:\WINDOWS\system32\sysgk32.exe
    O4 - HKLM\..\RunOnce: [javabd.exe] C:\WINDOWS\javabd.exe
    O4 - HKLM\..\RunOnce: [winpj.exe] C:\WINDOWS\system32\winpj.exe
    O4 - HKLM\..\RunOnce: [addcr.exe] C:\WINDOWS\system32\addcr.exe
    O4 - HKLM\..\RunOnce: [ieam32.exe] C:\WINDOWS\ieam32.exe

    - Reset Web Settings by right clicking on your Internet Explorer icon. Then click Properties, Programs, and click the Reset Web Settings button. Then go back to the General tab and set you home page back to something useful like www.majorgeeks.com
    - while in safe mode run Fullscan with Ad-aware
    - boot normal and reconnect to internet

    - Run a² anti virus!
     
    chaslang, Jul 15, 2004
    #3
  4. 70'cuda

    70'cuda Private E-2

    first off thanks for replying

    i'm having trouble creating my a² anti-virus account though, i'm not getting the code, and i used the same email address as the one i received a confirmation email from majorgeeks.com for joining so it should work
     
    70'cuda, Jul 15, 2004
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you click the -> Create new a2 account now button when you first installed it.
    Then they send you the info to your email account. They do say they have problems with hotmail accounts.
     
    chaslang, Jul 15, 2004
    #5
  6. 70'cuda

    70'cuda Private E-2

    i've done everything but the a2

    yes, i clicked create new account during setup, and i don't use hotmail

    however, i haven't had any popups and my homepage is back to my default, it is amazing i can't thank you enough this has been irritating the crap out of me for weeks now

    do you think i still need to run the a2 program, do you know any others

    sorry it took me so long i'm also trying to fix the a/c in my car
     
    70'cuda, Jul 15, 2004
    #6
  7. 70'cuda

    70'cuda Private E-2

    also, could you recommend one of those programs that detect when a virus tries to change something on your computer and warns you about it
     
    70'cuda, Jul 15, 2004
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Jul 15, 2004
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds