Hijack This Log

Question

mcrrcoker 0 Newbie Poster

18 Years Ago

Is there anything wrong with this Log?

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Derek\Desktop\Hijack This\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\yatod.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,jvasnto.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [win320802-1326529] C:\WINDOWS\win320802-1326529.exe
O4 - HKLM\..\Run: [errorhandler] C:\WINDOWS\errorhandler.exe
O4 - HKLM\..\Run: [we4e17f0.dll] RUNDLL32.EXE we4e17f0.dll,I2 000896fb0e4e17f0
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\System32\mwinqqag.exe GID003
O4 - HKLM\..\Run: [CleanUp] C:\DOCUME~1\Derek\LOCALS~1\Temp\2006423214439_mcappins.exe /v=3 /cleanup
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\Derek\LOCALS~1\Temp\2006423214431_mcinfo.exe /insfin
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [EQAdvice] "C:\Program Files\EQAdvice\EQAdvice.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\h42o0ef3eh2.dll
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

windows-virus

2 Contributors
1 Reply
106 Views
1 Day Discussion Span
Latest Post 18 Years Ago Latest Post by 'Stein

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

'Stein 150 Lapsed Skeptic Team Colleague · Answer 1 · 2006-04-25T09:27:37+00:00

Yes, several problems. First off, all I say is that you're INFESTED, but it can all be fixed. Second, ya didn't include the header that lists the HJT version, IE version, and Windows version.

Post the header nxt time please :)

Lets begin by doin several things.

First, uninstall EQAdvice through the Add/Remove Programs list.

Then, completely update Ewido (I already see its installed), but DONT run it yet.

Next, download SpySweeper (link in my sig below). Update all its definitions, but don't run a scan yet.

Next, begin by downloading CCleaner, and specifically choosing the most recent version.

Then, follow these steps:

1. Close all programs so that you are at your desktop.
2. Double-click on the "My Computer" icon.
3. Select the "Tools" menu and click "Folder Options".
4. After the new window appears select the "View" tab.
5. Place a checkmark in the checkbox labeled "Display the contents of system folders".
6. Under the "Hidden files and folders" section select the radio button labeled "Show hidden files and folders".
7. Remove the checkmark from the checkbox labeled "Hide file extensions for known file types".
8. Remove the checkmark from the checkbox labeled "Hide protected operating system files". 9. Press the "Apply" button and then the "OK" button and shutdown My Computer.
10. Now your computer is configured to show all hidden files.

Now, install the program. Open it, and choose the 'Options' tab. Inside, hit the 'Custom' tab, and add the following folders (Note: Not all of these files are on every computer. If one of these isn't present, skip it):

C:\Windows\Temp
C:\Temp
C:\Documents and Settings\<Every user listed>\Local Settings\Temp
C:\Documents and Settings\<Every user listed>\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\<Every user listed>\History
C:\Documents and Settings\<Every user listed>\Cookies
C:\Windows\Prefetch

After doing this, move back to the 'Cleaner' tab, and inside this, be sure your open to the 'Windows' tab. Inside, check the box labeled 'Custom Files and Folders'.

Now, Copy this advise to a Notepad file. Save it to your desktop. We will use it later.

1) Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.

After this, reboot into safe mode (repeatedly hit F8 while starting up).

While in safe mode, run scans with Ewido, SpySweeper, and CCleaner (in that order). Save both the Ewido and SpySweeper scan logs on the desktop.

Then, after doing this, run Killbox

1) Select "delete on reboot" and put a check in the "unregister dll.

2) Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

we4e17f0.dll
C:\WINDOWS\System32\dmonwv.dll
C:\WINDOWS\system32\h42o0ef3eh2.dll

3) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

4) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

Reboot into normal mode again. Then, shut the computer down for 30 seconds, and then reboot into safe mode again.

When in safe., run Killbox.

1) Select "Delete on Reboot".

2) Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\Program Files\outlook\outlook.exe
C:\WINDOWS\win320802-1326529.exe
C:\WINDOWS\errorhandler.exe
C:\WINDOWS\System32\mwinqqag.exe
C:\Program Files\EQAdvice\EQAdvice.exe

3) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

4) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

Let the system reboot.

Next, open HJT and check the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [win320802-1326529] C:\WINDOWS\win320802-1326529.exe
O4 - HKLM\..\Run: [errorhandler] C:\WINDOWS\errorhandler.exe
O4 - HKLM\..\Run: [we4e17f0.dll] RUNDLL32.EXE we4e17f0.dll,I2 000896fb0e4e17f0
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\System32\mwinqqag.exe GID003
O4 - HKLM\..\Run: [CleanUp] C:\DOCUME~1\Derek\LOCALS~1\Temp\2006423214439_mcappins.exe /v=3 /cleanup
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\Derek\LOCALS~1\Temp\2006423214431_mcinfo.exe /insfin
O4 - HKCU\..\Run: [EQAdvice] "C:\Program Files\EQAdvice\EQAdvice.exe"
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll (file missing)
O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\h42o0ef3eh2.dll

After checking all of these, close ALL windows and hit 'fix checked'.

After doing this, reboot into safe mode and delete the following folders:

C:\Program Files\outlook
C:\Program Files\EQAdvice

After doing all of this, restart your computer and run HJT. Save the log, and post it here with the SpySweeper and Ewido logs.

We'll continue fixing from there (we're not nearly done).

Thanks.