[Please help with my Log] -
Please help with my Log
Discuss Please help with my Log
Posted by: bartacuslg1
I have ran Microsoft antispyware, spybot S&D, and cw shredder.I would appreciate help with which lines I should have HJT fix...I see the obvious ones..but dont want to make any mistakes. Thanks in advance
Logfile of HijackThis v1.99.0
Scan saved at 12:18:06 PM, on 1/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\LVCOMS.EXE
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Hijackthis\hijackthis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\BART~1.BAR\LOCALS~1\Temp\sp.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\BART~1.BAR\LOCALS~1\Temp\sp.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0
.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2BD3A6BF-AAD4-4745-A631-8349DA42F13B} - C:\WINDOWS\system32\nkfo.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0
.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [LVCOMS] C:\WINDOWS\System32\LVCOMS.EXE
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire HomePortal Monitor\2portalmon.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - Startup: Connection Manager.lnk = C:\Program Files\BellSouth\Connection Manager\CManager.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} (AsyncDownloader Class) - [url]http://survey.otxresearch.com/Preloader.dll[/url]
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - [url]http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab[/url]
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - [url]http://www.e-games.com.my/com/EGamesPlugin.cab[/url]
O16 - DPF: {558958F1-FF22-4A76-8595-79A6B7BA698A} (PuzzleBobbleLauncher Control) - [url]https://www.pbo.jp/bobrun/PuzzleBobbleLauncher.ocx[/url]
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - [url]http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll[/url]
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - [url]http://www.live365.com/players/play365.cab[/url]
O18 - Filter: text/html - {EA354D4F-F9F3-4503-92BE-048F269A823F} - C:\WINDOWS\system32\nkfo.dll
O18 - Filter: text/plain - {EA354D4F-F9F3-4503-92BE-048F269A823F} - C:\WINDOWS\system32\nkfo.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
Posted by: office politics
these will prolly come back, if you see the sp.html then this problem cannot be fixed with hijackthis alone
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\BART~1.BAR\LOCALS~1\Temp\sp.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about :blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\BART~1.BAR\LOCALS~1\Temp\sp.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about :blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about :blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about :blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about :blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about :blank
could be a result of spyware
O2 - BHO: (no name) - {2BD3A6BF-AAD4-4745-A631-8349DA42F13B} - C:\WINDOWS\system32\nkfo.dll (file missing)
make boot time quicker, eliminating unneccessary apps that start on boot
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [LVCOMS] C:\WINDOWS\System32\LVCOMS.EXE
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire HomePortal Monitor\2portalmon.exe
(never seen thes before)
O18 - Filter: text/html - {EA354D4F-F9F3-4503-92BE-048F269A823F} - C:\WINDOWS\system32\nkfo.dll
O18 - Filter: text/plain - {EA354D4F-F9F3-4503-92BE-048F269A823F} - C:\WINDOWS\system32\nkfo.dll
lexmark printer server?
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
video card service
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
Posted by: southernlady
Create a folder on your C: Drive and call it some like MalwareTools and place the following files in there: Unzip them but [B]do NOT run them YET![/B]
Download [URL=http://www.spyware911.net/forum/index.php?showtopic=17]Coolweb Shredder[/URL] Do Not run it yet. Remember to download and unzip it into the MalwareTools folder.
Download [URL=http://www.spyware911.net/downloads/AboutBuster.zip]About Buster 4.0[/URL] Do Not run it yet. Remember to download and unzip it into the MalwareTools folder.
Unzip AboutBuster to the MalwareTools folder then click the "Update Button" then click "Check for Update" and download the updates and then click "Exit" because I don't want you to run it yet. Just get the updates so it is ready to run later in safe mode.
Download [URL=http://www.majorgeeks.com/download3155.html]HijackThis[/URL] Do Not run it yet. Remember to download and unzip it into the MalwareTools folder.
Now go ahead and set your computer to show hidden files like so: [URL=http://www.spyware911.net/forum/index.php?showtopic=27]Show hidden files & folders[/URL]
Click on My Computer then go to View > Folder Options. Click on the "View" tab and make sure "Show all files" is ticked and uncheck "Hide file extensions for known file types". Click "Like Current Folder" then click "Apply" then "OK"
Sign off the internet and remain offline until this procedure is complete. Unplug your modem or disconnect the cable or phone line. Copy these instructions to notepad and save them on your desktop for easy access. You must follow these directions exactly and you cannot skip any part of it. [B][COLOR=red]MAKE SURE YOU COPY THESE INSTRUCTIONS TO NOTEPAD FOR REFERENCE![/COLOR][/B]
Restart to safe mode.
Perform the following steps in [URL=http://www.spyware911.net/safemode.htm]Safe Mode[/URL]:
Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click [B]"Fix checked"[/B]
[B]R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar res://C:\DOCUME~1\BART~1.BAR\LOCALS~1\Temp\sp.dll/sp.html[/B]
[B]R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about :blank[/B]
[B]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\BART~1.BAR\LOCALS~1\Temp\sp.dll/sp.html[/B]
[B]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about :blank[/B]
[B]R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about :blank[/B]
[B]R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about :blank[/B]
[B]R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about :blank[/B]
[B]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about :blank[/B]
[B]O2 - BHO: (no name) - {2BD3A6BF-AAD4-4745-A631-8349DA42F13B} - C:\WINDOWS\system32\nkfo.dll (file missing)[/B]
[B]O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe[/B]
[B]O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll[/B]
[B]O18 - Filter: text/html - {EA354D4F-F9F3-4503-92BE-048F269A823F} - C:\WINDOWS\system32\nkfo.dll[/B]
[B]O18 - Filter: text/plain - {EA354D4F-F9F3-4503-92BE-048F269A823F} - C:\WINDOWS\system32\nkfo.dll[/B]
Now find and delete this file:
C:\Program Files\[B]Viewpoint\Viewpoint Manager\ViewMgr.exe[/B]
Next run aboutbuster. Double click aboutbuster.exe, click OK, click Start, then click OK. This will scan your computer for the bad files and delete them.
Finally, run CWShredder. Just click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing.
Navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.
Go to Start > Run and type [B]%temp%[/B] in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.
Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.
Then go to Add/Remove programs:
Remove via Start -> Settings -> Add/Remove Programs/[B]Viewpoint Manager[/B]
Boot back into Windows now.
Go here [URL=http://housecall.trendmicro.com/]Trend Micro - Free online virus Scan[/URL] and do an online virus scan.
Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself. Housecall will detect the leftover files from this hijacker.
This hijacker is known to alter or delete certain files so check this out please:
Download the [URL=http://www.spyware911.net/downloads/hoster.zip]Hoster.zip[/URL]. UnZip the file and press "Restore Original Hosts" and press "OK". Exit Program.
With Spybot S&D installed you will also need to replace one file.
Go here [URL=http://www.spywareinfo.com/~merijn/files/windows/sdhelper13.zip]SDHelper.dll[/URL] and download SDHelper.dll. Copy the file to the folder containing your Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)
control.exe may have been deleted.
See if control.exe is present in C:\windows\system
If control.exe isn't there, Click here [URL=http://www.richardthelionhearted.com/~merijn/files/windows/control_xp.zip]control_xp.zip[/URL] to download control_xp.zip.
Unzip the file and copy the new control.exe file to the C:\Windows\System folder.
IMPORTANT!: Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended here [URL=http://www.jfitz.com/tips/ie_security_config.html]Configuring Internet Explorer Security Settings[/URL]).
Reboot
Empty the Recycle Bin
Then post another HijackThis log. Liz
Posted by: bartacuslg1
Well everything seems to be working fine now. The homepage is staying set, I didnt do some of final steps, like checking for those missing files (control.exe) etc... are those important because things seem to be running fine...Thanks for your help...Bart
Posted by: southernlady
Glad it's fixed...the last steps were in case you lost your internet connection in the process.
I'm closing this thread. If you have any more problems, just PM me. In the meantime, read the threads on
[URL=http://www.tech-forums.net/showthread.php?s=&threadid=36259]Normal maintenance[/URL]
[URL=http://www.tech-forums.net/showthread.php?s=&threadid=36259]How Did I Get Infected in the First Place?[/URL]
[URL=http://www.tech-forums.net/showthread.php?s=&threadid=38478]Terminating Spyware With Extreme Prejudice[/URL]
Liz