Three infections

When you start HJT the first time, a "new users quickstart" screen appears, the first button will be "do a system scan and save a log file". If you use this, the log file will automatically saved into the same folder where the HijackThis.exe is located and it will be loaded into notepad after the scan. However, if this screen doesn't show up (you can uncheck a checkbox to bypass this newbie screen), the "scan" -button will change to "save" after the scan, by clicking it you will prompted to save the file by a standard file selection window. Do you have the most recent (1.99.1) version?

"When you start HJT the first time" Now don't get upset with me but on my computer the forth word I can't make out. That's in the quote above. Are you saying that I don't use the "Hijack this" program first to scan my computer?

I went to "Hijack this" and did a scan and for the life of me I can not find a button which would say "save" and would ask me to where to save. Sorry the most fundamental operation I seem to be having a problem. I read what to do and I will go back and read again.

"The Scan Button has a new Caption. Save Log." of which when I went back and read the quick start I rescanned and still did not see the above quote. I am using the 1.99 version is that correct. I will figure this out with the help of all these good people reading this. So I will be patient.

allthetime

you know I just give up so I am going to just leave this forum. I will just take my computer down and spend $90 to have it rformated or just have the 3 viresus taken out.

allthetime

I've got a vague feeling that HJT doesn't work correctly on your computer. I guess you refer to the description on this site: http://www.tomcoyote.org/hjt/ (Click on the images to enlarge them on this site)
The "new users quickstart" screen looks like this: http://www.pcentraide.com/index.php?showtopic=796 (Sorry, french site but just have a look at the screenshot on that page)

So which of both screens do you see first when you start HijackThis?

The very same button you clicked to do the scan should read "Save log" after the scan. That's what the phrase "The Scan Button has a new Caption. Save Log" means. If it doesn't, HJT is somehow messed up, maybe due to the infection. Try renaming the Hjackthis.exe to something else then (like Britney.com or Spears.com) and try it again.

you know I just give up so I am going to just leave this forum. I will just take my computer down and spend $90 to have it rformated or just have the 3 viresus taken out.

allthetime

Forget what I said above. This time I double clicked the scan or clicked the second time for scan and it led me to save to my doc. and I also saw the script in notepad I am going to copy and paste.

Logfile of HijackThis v1.99.1
Scan saved at 7:18:32 PM, on 9/18/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\LXCGPPLS.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAAA.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\LEXMARK 2300 SERIES\LXCGMON.EXE
C:\PROGRAM FILES\LEXMARK 2300 SERIES\EZPRINT.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MSWHEEL.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\SBC SELF SUPPORT TOOL\SMARTBRIDGE\MOTIVESB.EXE
C:\PROGRAM FILES\COMMON FILES\ROXIO SHARED\PROJECT SELECTOR\PROJSELECTOR.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\ROXIO\EASY CD CREATOR 6\AUDIOCENTRAL\RXMON.EXE
C:\PROGRAM FILES\ROXIO\EASY CD CREATOR 6\DRAGTODISC\DRGTODSC.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\CM DATA SOFTWARE\CM DISKCLEANER\SCHEDULE.EXE
C:\PROGRAM FILES\SONY CORPORATION\IMAGE TRANSFER\SONYTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SBC SELF SUPPORT TOOL\BIN\MPBTN.EXE
C:\WINDOWS\SYSTEM\LXCGCOMS.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACK THIS\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/login_verify2?.intl=us&rand=2066721949&i=IWZkZHNKIXRzZnNydEpidXV4dSF0ZEqOZHh4fH5iU356YmNYcnM%3d&.src=ym
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F1 - win.ini: run=lxcgppls.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ATIGART] c:\ati\gart\atigart.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaaa.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MICROS~2\point32.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\SYSTEM\LXCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcgmon.exe] "C:\Program Files\Lexmark 2300 Series\lxcgmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2300 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [projselector] "C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [Startup Cleaner] C:\Program Files\CM Data Software\CM DiskCleaner\Startup Cleaner.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - HKCU\..\Run: [Schedule] C:\Program Files\CM Data Software\CM DiskCleaner\Schedule.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O4 - Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin9x/AvSniff.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/169c85fdba097131f318/netzip/RdxIE601.cab
O21 - SSODL: rjgoitr - {CDEFEE3D-EDCB-4226-931B-90E184C11CAC} - C:\WINDOWS\SYSTEM\hehesox.dll

I hope this is better. Also , I forgot to tell all that I just had cancer prostate surgery and am recovering and I am 62 and a bit slow at times but when I get the hang of it I am fine.

Well done :) Can you remember the names of the three infections or do you still have the log files of the virus scan that told you of these infections? I can identify only two of them at the moment. The indication of the third one should be the last entry in the HJT log but I can't find any reference on which malware it generated.

I forgot to tell all that I just had cancer prostate surgery and am recovering and I am 62 and a bit slow at times but when I get the hang of it I am fine.

I'm crossing my fingers for you that your recovery is taking the best possible progress. And don't worry, you'll find all friendly and patient people here and you can't imagine how slow I can be at times...:) I'll continue browsing through your log tomorrow. (Need a nap now..3:15am local time here)

Here are the names of infected vireses"

C:\WINDOWS\HELP\imapi.exe (may be infected by unknown virus.MPH

C:\WINDOWS\HELP\svchost.exe (may be infected by unknown virus.MPH

C:\PROGRAM FILES\secure32.html (virus found SpySheriff)

Hi takethetime,

if possible, please upload these files to http://virusscan.jotti.org for an online scan. Just go to that website, click on the "Choose" button on top of the page and navigate to the first file
C:\WINDOWS\HELP\imapi.exe
click "Submit" and wait for the result. Please post the result log here.

Same goes for
C:\WINDOWS\HELP\svchost.exe

If something doesn't work or if you have questions. don't hesitate to ask.

Sorry for jumping in, but you are infected. Please run HJT again, select do system scan only, and check these items.

F1 - win.ini: run=lxcgppls.exe

O21 - SSODL: rjgoitr - {CDEFEE3D-EDCB-4226-931B-90E184C11CAC} - C:\WINDOWS\SYSTEM\hehesox.dll

Click Fix Checked.

__________________________________________________

Please download Pocket Killbox by O^E.

• Save it to your desktop.
• Please double-click Killbox.exe to run it.
• Select:
  • Delete on Reboot
  • then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

  C:\WINDOWS\SYSTEM\hehesox.dll

  
  

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

____________________________________________________

Please download and install ewido anti-spyware tool

• Close all other Applications Select language click Ok
• Click I Agree
• Click next
• Click Install
• Click Finish
• Wait Ewido will open main screen automatically.
• Wait again a few minutes and Ewido Should Auto update itself. If it doesn't click update at top of screen.
• This in very important to get updates
• When updating has finished. Close Ewido.

If you have an "always on" connection to the internet, physically disconnect that connection until you are finished with Safe Mode and have rebooted back into normal mode.

• Next, please reboot your computer in Safe Mode by doing the following:
• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
• Instead of Windows loading as normal, a menu should appear use arrow up to highlight
• Select the first option, to run Windows in Safe Mode hit enter.
• For additional help in booting into Safe Mode, see the following site: HERE

  You MUST manage to get into Safe Mode for the fix to work.

Make sure to close all open windows/programs/folders. Have nothing else open while ewido performs its scan!

• Open Ewido
• Click on scanner top of Ewido sceen
• Click on Settings
• Under How to Act click on Recommended Action choose Quarantine
• Under How to scan all boxes should be selected
• Under Possibly unwanted software all boxes should be selected
• On right side under Reports: click on Automatically generate report after every scan.
• Under What to scan select scan every file
• Click On scan Tab
• Click on Complete system scan
• Let the program scan the machine It can take awhile give it time.
• When scan has finished At bottom of screen click Apply all Actions
• Click Save report
• Click Save Report as (Save as window's screen should pop up.)
• Click desktop
• Click Save
• Exit ewido

Reboot back to normal mode

________________________________________________

Ewido should kill most of it.

Post back with the ewido log, and a new HJT log.

Sorry for jumping in, but you are infected. Please run HJT again, select do system scan only, and check these items.

F1 - win.ini: run=lxcgppls.exe

O21 - SSODL: rjgoitr - {CDEFEE3D-EDCB-4226-931B-90E184C11CAC} - C:\WINDOWS\SYSTEM\hehesox.dll

Click Fix Checked.

__________________________________________________

Please download Pocket Killbox by O^E.

• Save it to your desktop.
• Please double-click Killbox.exe to run it.
• Select:
  • Delete on Reboot
  • then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

  C:\WINDOWS\SYSTEM\hehesox.dll

  
  

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

____________________________________________________

Please download and install ewido anti-spyware tool

• Close all other Applications Select language click Ok
• Click I Agree
• Click next
• Click Install
• Click Finish
• Wait Ewido will open main screen automatically.
• Wait again a few minutes and Ewido Should Auto update itself. If it doesn't click update at top of screen.
• This in very important to get updates
• When updating has finished. Close Ewido.

If you have an "always on" connection to the internet, physically disconnect that connection until you are finished with Safe Mode and have rebooted back into normal mode.

• Next, please reboot your computer in Safe Mode by doing the following:
• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
• Instead of Windows loading as normal, a menu should appear use arrow up to highlight
• Select the first option, to run Windows in Safe Mode hit enter.
• For additional help in booting into Safe Mode, see the following site: HERE

  You MUST manage to get into Safe Mode for the fix to work.

Make sure to close all open windows/programs/folders. Have nothing else open while ewido performs its scan!

• Open Ewido
• Click on scanner top of Ewido sceen
• Click on Settings
• Under How to Act click on Recommended Action choose Quarantine
• Under How to scan all boxes should be selected
• Under Possibly unwanted software all boxes should be selected
• On right side under Reports: click on Automatically generate report after every scan.
• Under What to scan select scan every file
• Click On scan Tab
• Click on Complete system scan
• Let the program scan the machine It can take awhile give it time.
• When scan has finished At bottom of screen click Apply all Actions
• Click Save report
• Click Save Report as (Save as window's screen should pop up.)
• Click desktop
• Click Save
• Exit ewido

Reboot back to normal mode

________________________________________________

Ewido should kill most of it.

Post back with the ewido log, and a new HJT log.

OK, I KNOW THIS IS GOING TO BE HARD TO UNDERSTAND BUT THIS OTHER GUY WHO JUMPED IN OVER THE ONE WHO WAS HELPING ME OUT, I WANT YOU TO KNOW THAT'S OK AND YOU SEIZED THE MOMENT!! I MUST SAY "QUITE ALOT OF INSTRUCTION FOR THIS OLD MAN. HOWEVER I DID THREE "AVG" SCANS AND FOUND THIS TIME 9 TROJAN VIRUSES. (SPELLING) WHEN I WAS GOING TO CONFIRM AND RE-SCAN "AVG" PROMPTED SAID IT HEALED ALL 9. WELL, I RE-SCANNED ANYWAY 3 MORE TIMES AND ALL THREE SHOWED A CLEAN SLATE. SO FOR NOW I AM GOING TO LEAVE IT AT THAT. "AVG" WILL PROMPT ME ALWAYS WHEN THERE IS A PROBLEM.

I believe I have some not right when I click "contron, alt and delete"
can I can the start up program and list it on the sight?

Sorry for confusing you, just trying to help :).

Not sure I understand your last post.

I know you are trying to help and thanks. Basically I scalled my computer with AVG three times and the first time it said it healed the virsuses. Then I scalled two more times to be sure and the program said there were no viruses found. But I found something funny when I clicked "control-alt-delete" some of the programs running in the background were unusual. So, I was wondering if you want me to run a different scan? I can't think of the name but I know where it is and how to do this.

takethetime

There is an exellent scanner out there called ewido (www.ewido.net). It does a great job. Here are detailed instructions how to use it. If you have any problems post back :).

Please download and install ewido anti-spyware tool

• Close all other Applications Select language click Ok
• Click I Agree
• Click next
• Click Install
• Click Finish
• Wait Ewido will open main screen automatically.
• Wait again a few minutes and Ewido Should Auto update itself. If it doesn't click update at top of screen.
• This in very important to get updates
• When updating has finished. Close Ewido.

If you have an "always on" connection to the internet, physically disconnect that connection until you are finished with Safe Mode and have rebooted back into normal mode.

• Next, please reboot your computer in Safe Mode by doing the following:
• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
• Instead of Windows loading as normal, a menu should appear use arrow up to highlight
• Select the first option, to run Windows in Safe Mode hit enter.
• For additional help in booting into Safe Mode, see the following site: HERE

  You MUST manage to get into Safe Mode for the fix to work.

Make sure to close all open windows/programs/folders. Have nothing else open while ewido performs its scan!

• Open Ewido
• Click on scanner top of Ewido sceen
• Click on Settings
• Under How to Act click on Recommended Action choose Quarantine
• Under How to scan all boxes should be selected
• Under Possibly unwanted software all boxes should be selected
• On right side under Reports: click on Automatically generate report after every scan.
• Under What to scan select scan every file
• Click On scan Tab
• Click on Complete system scan
• Let the program scan the machine It can take awhile give it time.
• When scan has finished At bottom of screen click Apply all Actions
• Click Save report
• Click Save Report as (Save as window's screen should pop up.)
• Click desktop
• Click Save
• Exit ewido

Reboot back to normal mode

And, if you add that log into your next post. I can help you kill the rest of the viri :D.

Ok, I printed out the instructions and I will have to take these steps very slowly and then I will add the report to the next post.

as my id say: take the time.

We may have a problem. I am running Win98SE and Ewido anti-spyware tool is for win2000 and XP. Suggestions!!

takethetime

Will apparently I don't seem to be having a problem now with trojans etc. I want to thank the two guys that did instruct me somewhat.

takethetime