HijackThis assistance needed
 

Hi all. I am new to this so perhaps someone can help.

I have undertaken to try to fix a friends pc. I install spyremover and antivirus and have proceeded to remove (as best i can!) the viruses resident.

I now have problems with iexplorer.exe auto creating and also with multiple popups and unwanted search bars.

I downloaded HijackThis and ran it. Can someone help with the log file results?

Logfile of HijackThis v1.99.1
Scan saved at 06:08:03, on 25/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\WINDOWS\System32\lxbscoms.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Apps\ActivBoard\MMKeybd.exe
C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Apps\ActivBoard\OSD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Tech\Wheel Mouse\5.0\MOUSE32A.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\khooker.exe
C:\apps\ActivSurf\4448364\Program\backweb-4448364.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\ntl\broadband medic\bin\mpbtn.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\SpyRemover\Remover.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\PeDevice\PeDev.exe
C:\Documents and Settings\NATALIE\My Documents\System Clean Up\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\system32\SearchBar.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BT Yahoo! Broadband
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {8575CB4B-4B2F-1943-89E4-70CD520CA062} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O2 - BHO: PEDEV_IEListener Class - {E1412445-4FF8-410e-8D24-F2CF86B171A4} - C:\Program Files\PeDevice\PeDev.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [VCSPlayer] "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"
O4 - HKLM\..\Run: [Peeramid] \PService.exe
O4 - HKLM\..\Run: [e80c19c28c15] C:\WINDOWS\System32\audiosrv.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Tech\Wheel Mouse\5.0\MOUSE32A.EXE
O4 - HKLM\..\Run: [LXBSCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBStime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [MemoryCardManager] C:\Program Files\Lexmark\Lexmark Precision Photo\MemCard.exe -startup
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\c.bin\mwsoemon.exe
O4 - HKLM\..\Run: [BlockChecker] C:\Program Files\Block Checker\block-checker.exe
O4 - HKLM\..\Run: [BallSizeMagsShow] C:\Documents and Settings\All Users\Application Data\Dumb enc ball size\32 FORD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [ActivSurf] C:\apps\ActivSurf\4448364\Program\backweb-4448364.exe
O4 - HKCU\..\Run: [Update Service] C:\PROGRA~1\COMMON~1\TEKNUM~1\update.exe /startup
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: updater.lnk = C:\Program Files\Common Files\updater\wupdater.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZCxdm628YYGB
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe
O9 - Extra button: Packard Bell - {1D49B7D4-524D-4ac9-BC34-B4822CAE4BB1} - C:\Apps\IECustom\script.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Homepage - {37E3666B-B532-495E-80A5-CC01E17C85F0} - http://bt.yahoo.com (file missing) (HKCU)
O9 - Extra button: BT - {C60CA15D-8273-496D-AF15-453AC5AD7749} - http://www.bt.com (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab30149.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...tatsClient.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...reShowdown.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxbscoms.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE


Any help would be gratefully appreciated.

Jon

Re: HijackThis assistance needed
 

Hi and welcome :). Please run HJT again and select Do system scan only. Then check the following items.

YOU WILL NEED TO PRINT THESE OUT, AS YOU WILL OT HAVE ACCESS TO THE INTERNET DURING PARTS OF THE FIX!


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\system32\SearchBar.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank


R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)

O2 - BHO: (no name) - {8575CB4B-4B2F-1943-89E4-70CD520CA062} - (no file)

O2 - BHO: PEDEV_IEListener Class - {E1412445-4FF8-410e-8D24-F2CF86B171A4} - C:\Program Files\PeDevice\PeDev.dll

O4 - HKLM\..\Run: [Peeramid] \PService.exe

O4 - HKLM\..\Run: [e80c19c28c15] C:\WINDOWS\System32\audiosrv.exe

O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\c.bin\mwsoemon.exe

O4 - HKLM\..\Run: [BlockChecker] C:\Program Files\Block Checker\block-checker.exe

O4 - HKLM\..\Run: [ActivSurf] C:\apps\ActivSurf\4448364\Program\backweb-4448364.exe

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZCxdm628YYGB

O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe

O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe

O9 - Extra button: Packard Bell - {1D49B7D4-524D-4ac9-BC34-B4822CAE4BB1} - C:\Apps\IECustom\script.htm

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: Homepage - {37E3666B-B532-495E-80A5-CC01E17C85F0} - http://bt.yahoo.com (file missing) (HKCU)

O9 - Extra button: BT - {C60CA15D-8273-496D-AF15-453AC5AD7749} - http://www.bt.com (file missing) (HKCU)

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -



Click Fix Checked

------------------------------------------------------------------

Please download About:Buster & Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily

Then Please boot into safe mode

Exit ALL Browsers and unplug your internet cable

Next run about:Buster and save the log to ab1.txt.[/list] Immediately reboot into safe mode and run about:Buster again and save another log to ab2.txt

While still in safe mode Start killbox Copy the list of files below to the clipboard by selecting all of them with your mouse (Left click the start of the list and drag the mouse to the bottom of the list) and when they are all selected ( highlighted in blue) right click on any part of the blue area and say copy

In the Killbox, Go to the toolbar press file and select Paste from clipboard. The first file name will appear in the window and if the file exists it will appear in blue under that window then select standard file kill, press the red X button, say yes to the prompt and once the file deleted message comes up then press the red X again and continue to press untill the last file on the list appears in the window & it says deleted.

File list:

Then while Still In safe mode uninstall the following items (if found):

Quote:

MyWebSearch Email Plugin BlockChecker MyWebSearch

Then please delete the following folders, if they exist.

C:\Program Files\Block Checker\

C:\Program Files\My Web Search\

Empty Recycle bin

---------------------------------------------------------------
Please download the trial version of Ewido Security Suite here:

http://www.ewido.net/en/download/

Install it, and update the definitions to the newest files.

Please run Ewido,and save the logfile from the scan

Post back the results here, along with the About:Buster logs, and a new HJT log

Re: HijackThis assistance needed
 

tayspen,

Thanks for your help.

I have followed your instructions and now attach the files as you suggest.

I await your next instructions.

I would like to thank you for making the instructions so clear. I was well able to follow them without any problems.

Jon

Re: HijackThis assistance needed
 

Much better! There are still a few more though. Now run HJT again and check these.


O4 - HKLM\..\Run: [BallSizeMagsShow] C:\Documents and Settings\All Users\Application Data\Dumb enc ball size\32 FORD.exe

O4 - Global Startup: updater.lnk = C:\Program Files\Common Files\updater\wupdater.exe



Click Fix Checked.

-------------------------------------------------------------
Now use Killbox like we did above to delete these files.

Then delete these folders

C:\Documents and Settings\All Users\Application Data\Dumb enc ball size\

C:\Program Files\Common Files\updater\

If it gives you an error, delete them in safe mode.

Post hopefully the last log

Re: HijackThis assistance needed
 

Hi tayspen,

I have followed your further instructions as requested.

The only things I could do was to delete file
C:\Program Files\Common Files\updater\wupdater.exe

and delete folder
C:\Program Files\Common Files\updater\

They were not there so hopefully a good sign?!

Please find attached the latest HJT log.

Jon

Re: HijackThis assistance needed
 

Sorry I could NOT do was to delete the file and folder for updater

Re: HijackThis assistance needed
 

Ok, Please repaste the path into killbox, then check Delete on reboot. Then reboot. That should delete it, post a new log after that.

Re: HijackThis assistance needed
 

Sorry teyspan,

I didn't make myself very clear.

I did all your instructions except I couldn't delete the file or the folder because they didn't exist in the structure. I assume they were already removed?!

Anyway, they don't exist so I cannot select them for deletion during reboot.

Did you still want me to reboot?

Jon

Re: HijackThis assistance needed
 

Oh, I am sorry. THey may be there just not visible, please do the following.

* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.

Then see if they are there, if so delete them as described above. If not just post another log :).

Re: HijackThis assistance needed
 

Tayspen,

I performed a search for the file and folder on the C:\ but nothing was found.

the only reference to wupdater.exe was in path C:\Program Files\SpyRemover\Recovery\KeenValueeUniverseMyFreeCursors.zip and
Files\SpyRemover\Recovery\KeenValueeUniverseMyFreeCursors2.zip

Anyhow, I have now rebooted and this is the latest logfile

Jon