[dekor]

hey guys, can someone please guide me through what i have to do to remove these pieces of garbage? ive seem a million posts on the net with all these huge hijack logs... can someone please help me out?

much appreciated too all who respond, thanks

[Advertisements]

Hello dekor, and welcome to Geeks to Go
My name is Harry, and lets see what we can do to help you out there.

Hopefully your HJT log won't be that large

* Click here to download HJTsetup.exe

• Save HJTsetup.exe to your desktop.
• Doubleclick on the HJTsetup.exe icon on your desktop.
• By default it will install to C:\Program Files\Hijack This.
• Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
• Put a check by Create a desktop icon then click Next again.
• Continue to follow the rest of the prompts from there.
• At the final dialogue box click Finish and it will launch Hijack This.
• Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back here to this thread and Paste the log in your next reply.
• DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

Post it, and I'll get back to you!

Harry

[harrythook]

Hello dekor, and welcome to Geeks to Go
My name is Harry, and lets see what we can do to help you out there.

Hopefully your HJT log won't be that large

* Click here to download HJTsetup.exe

• Save HJTsetup.exe to your desktop.
• Doubleclick on the HJTsetup.exe icon on your desktop.
• By default it will install to C:\Program Files\Hijack This.
• Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
• Put a check by Create a desktop icon then click Next again.
• Continue to follow the rest of the prompts from there.
• At the final dialogue box click Finish and it will launch Hijack This.
• Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back here to this thread and Paste the log in your next reply.
• DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

Post it, and I'll get back to you!

Harry

[dekor]

Logfile of HijackThis v1.99.1
Scan saved at 8:52:42 PM, on 12/20/2006
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\Program Files (x86)\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\PROGRA~2\COMMON~1\RACLE~1\winspool.exe
C:\Program Files (x86)\MSN Messenger\msnmsgr.exe
C:\Program Files (x86)\RocketDock\RocketDock.exe
C:\WINDOWS\?ymantec\n?lookup.exe
C:\Program Files (x86)\Winamp\winampa.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\SysWOW64\ctfmon.exe
C:\WINDOWS\SysWOW64\svchost.exe
C:\Program Files (x86)\iPod\bin\iPodService.exe
C:\Program Files (x86)\Winamp\winamp.exe
C:\Program Files (x86)\mIRC\mirc.exe
C:\Program Files\Logitech\SetPoint\x86\SetPoint32.exe
C:\PROGRA~2\MOZILL~1\FIREFOX.EXE
C:\Program Files (x86)\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R3 - URLSearchHook: (no name) - {D1C93E0E-FB9D-D643-CFF9-87FA3DDD6B98} - C:\WINDOWS\SysWow64\ghkjmptr.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1012A769-3CA6-1574-A6A8-1243B763A1CC} - blank (file missing)
O2 - BHO: (no name) - {86D8C587-501C-7ECC-4102-2DF07CCE6D93} - blank (file missing)
O2 - BHO: (no name) - {CE6BE1D7-761F-52CB-45F7-07E29D717095} - blank (file missing)
O2 - BHO: (no name) - {D1C93E0E-FB9D-D643-CFF9-87FA3DDD6B98} - C:\WINDOWS\SysWow64\ghkjmptr.dll
O2 - BHO: (no name) - {D2D29AD2-5441-2C98-4102-2DF07CCF6A93} - blank (file missing)
O2 - BHO: (no name) - {D5E3F33F-35A4-4B7D-A2AE-171342DC3F96} - blank (file missing)
O2 - BHO: (no name) - {E7AB93F1-5866-73B6-6EEE-26800B3803C7} - blank (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\syswow64\msdxm.ocx
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files (x86)\Winamp\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKCU\..\Run: [Satt] "C:\PROGRA~2\COMMON~1\RACLE~1\winspool.exe" -vt ndrv
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files (x86)\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files (x86)\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [Ssxizfeu] C:\WINDOWS\?ymantec\n?lookup.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Open using &Advanced JPEG Compressor - C:\Program Files (x86)\Advanced JPEG Compressor\ajcieex.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files (x86)\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~2\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~2\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WBSrv - C:\PROGRA~2\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files (x86)\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - (no file)
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files (x86)\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~2\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\system32\nvsvc64.exe (file missing)
O23 - Service: O&O Defrag - Unknown owner - C:\WINDOWS\system32\oodag.exe (file missing)
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files (x86)\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files (x86)\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)



thats it hope it helps and thank you

[harrythook]

Hey dekor,
It may take a bit to review the log, but we are working on it

Hang in there

Harry

[dekor]

tthank you.. also sometimes i get a random icon appearing on my desktop labelled Free Music Downloads or some garbage like that. are these all related?

[dekor]

bump

[harrythook]

Hey dekor,
Please no more bumps, it really wont help. All instructions are reviewed for accuracy, and as its the holiday season sometimes things get a little hectic. Sorry for the delay.

It seems that you are lacking some protection there. We need to work on that.

Lets run one thing first:

1 Download this file :

Combofix

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that please.
Note:
Do not mouseclick combofix's window while its running. That may cause it to stall

Next,
Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

Finally. give me a fresh HiJack log.


Post the following results:

• combofix log
• Uninstall list
• Hjt log

Harry

[dekor]

sorry about the bump, didnt know how things worked around here..

bad news, combofix says unsupported operating system.. i am using windows xp 64 bit professional.. any word on this?

[harrythook]

Working on it, will reply back shortly.

Harry

[harrythook]

Hey dekor,
just waiting for the OK to give you another direction to fix this.
Working with server 2003 sometimes requires different types of removal, its not commonly seen here.
I am so sorry for the delays, its really a hard time of year for us here.

One thing you can do is give me that uninstall list I asked for

Harry

[dekor]

"AbiWord 2.4.1 (remove only)"
3D Ultra Pinball Thrillride
3DMark05
Ace Utilities 2.6.0
Ad-Aware SE Personal
Adobe Common File Installer
Adobe Flash Player 9 ActiveX
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 7.0.8
Adobe Stock Photos 1.0
Advanced JPEG Compressor 4.8
AGEIA PhysX v2.6.0
Ai Booster
Asus Probe V2.64.05
AsusUpdate
Atomic Cannon Demo
AudioLabel
Autumn Steeple
AVG 7.5
BitLord 1.1
Carmageddon II Carpocalypse Now
Codec Pack - All In 1 6.0.3.0
Cool & Quiet
Creative Audio Console
Creative Mass Storage Drivers
DAO
Dark Messiah
DaZZle Emule Mod 0.46c
DivX
DivX Converter
DivX Web Player
EA SPORTS online 2006
Eclipse 1.0
eMule
Exercise Diary 3.1
Fable - The Lost Chapters
FEAR
FEAR Extraction Point
FlashFXP v3
Google Earth
Gorgeous Fall Foliage Screen Saver
Half-Life® 2
Harry Potter and the Goblet of Fire™
Hauppauge WinTV2000
Hijackthis 1.99.1
ID3-TagIT 3
iDump v1.0.6
InFlac 1.1.1
iTunes
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
King's Quest 1 VGA
King's Quest 1 VGA Music Pack
King's Quest 1 VGA Speech Pack
King's Quest 2 VGA
King's Quest 2 VGA Digital Music Pack
King's Quest 2 VGA Speech Pack
Legendo's The Three Musketeers Demo
Lernout & Hauspie TruVoice American English TTS Engine
LimeWire 4.12.6
LiveUpdate 3.1 (Symantec Corporation)
Logitech Gaming Software 64
Logitech Harmony Remote Software
Logitech SetPoint
Macromedia Shockwave Player
Magic ISO Maker v5.0 (build 0166)
MagicTune3.6_Client_pivot
Max Payne 2
mIRC
Mozilla Firefox (1.5.0.9)
Nalu
Nero 7 Demo
NewsLeecher
PlayLinc
PowerDVD
Prey
QuickPar 0.9
QuickTime
Rainy Screensaver 2.2.11
RealPlayer
Registry Mechanic 5.2
RoboBlitz
RocketDock 1.2.5
RollerCoaster Tycoon® 3
ScummVM SVN
Sleigh Ride Demo
SoulSeek Client 156c
SpeechRedist
Steam
Super Mp3 Recorder Professional v6.2
The Battle for Middle-earth ™
Ulead VideoStudio 9.0 SE DVD
Unreal Tournament 2004
Vampire - The Masquerade Bloodlines
VideoLAN VLC media player 0.8.5
Winamp (remove only)
WindowBlinds
Windows Live Messenger
WinRAR archiver
World of Warcraft
XviD MPEG-4 Codec
Yahoo! Messenger



uninstall list.. thanks

[harrythook]

Hello dekor,
once again sorry for the delays.

lets try this:
Copy everything inside the quote box below (starting with dir) and paste it into notepad. Go up to "File > Save As" and click the drop-down box to change the "Save As Type" to "All Files". Save it as findfile.bat on your Desktop.

dir C:\WINDOWS\system32\C:\WINDOWS\?ymantec\ /a h > files.txt
notepad files.txt

Locate findfile.bat on your Desktop and double-click on it. It will open Notepad with some text in it. There should be results for 2 (two) folders there. Please post the contents of that Notepad here.

Next,
Please download AVG Anti-Spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program

• Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
• Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
• On the main screen select the icon "Update" then select the "Update now" link.
  • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
• Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
• Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
• Under "Reports"
  • Select "Automatically generate report after every scan"
  • Un-Select "Only if threats were found"

Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.

• Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
  IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
• Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
• Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
• AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
  Once the scan is complete do the following:
• If you have any infections you will prompted, then select "Apply all actions"
• Next select the "Reports" icon at the top.
• Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
• Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.

Harry

[OwNt]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.