Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Live-Wire's PC Issues[CLOSED]


  • This topic is locked This topic is locked

#1
live-wire

live-wire

    New Member

  • Member
  • Pip
  • 3 posts
Please look at my hijack this log... I am really new to this. Any help is much apreciated.

Logfile of HijackThis v1.99.1
Scan saved at 10:57:22 PM, on 4/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\System32\ruxiwvtq.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe
C:\WINDOWS\system32\??xplore.exe
C:\DOCUME~1\garay9\LOCALS~1\Temp\Temporary Directory 2 for HijackThis.zip\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bestbuy.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bestbuy.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.bestbuy.msn.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Windows\System32\wsaupdater.exe,
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {070E2E54-999C-B81A-EB39-B9EEF9FCBDBC} - C:\WINDOWS\system32\delwvtzi.dll
O2 - BHO: (no name) - {3EAA3A2A-C349-2E97-8722-625578F9296F} - C:\WINDOWS\System32\tnrv.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Curl Class - {A78CC2FF-6E4E-4556-B27C-D7C3A70D7A50} - C:\WINDOWS\System32\NDrv.dll (file missing)
O2 - BHO: (no name) - {DC015A45-B388-C954-FE08-CAC9ABC86EE8} - C:\WINDOWS\system32\gnexoedz.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [jpgsresx] C:\WINDOWS\System32\ruxiwvtq.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [OiGVFyqi] C:\documents and settings\garay9\local settings\temp\OiGVFyqi.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [McAfee QuickClean Imonitor] C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe /START
O4 - HKCU\..\Run: [Nnil] C:\WINDOWS\system32\??xplore.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
  • 0

Advertisements


#2
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Hi there, and welcome! My name is Kat, and I'll be helping you to get your computer fixed up and on the run again! You may want to print these instructions or save them to a NotePad file on your desktop to make it easier for you to follow each step in order!

1. Before we tackle the infections on your machine, I need you to do something very important. It is not a good idea to run HijackThis from a "temp" location. Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible. Also, please do not run HJT within the zipped folder. Please use a free unzipping tool such as WinZip to extract it.

2. Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Windows\System32\wsaupdater.exe,

O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: (no name) - {070E2E54-999C-B81A-EB39-B9EEF9FCBDBC} - C:\WINDOWS\system32\delwvtzi.dll
O2 - BHO: (no name) - {3EAA3A2A-C349-2E97-8722-625578F9296F} - C:\WINDOWS\System32\tnrv.dll (file missing)
O2 - BHO: Curl Class - {A78CC2FF-6E4E-4556-B27C-D7C3A70D7A50} - C:\WINDOWS\System32\NDrv.dll (file missing)
O2 - BHO: (no name) - {DC015A45-B388-C954-FE08-CAC9ABC86EE8} - C:\WINDOWS\system32\gnexoedz.dll (file missing)

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O4 - HKLM\..\Run: [jpgsresx] C:\WINDOWS\System32\ruxiwvtq.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [OiGVFyqi] C:\documents and settings\garay9\local settings\temp\OiGVFyqi.exe
O4 - HKCU\..\Run: [Nnil] C:\WINDOWS\system32\??xplore.exe

Now close all windows other than HiJackThis, then click Fix Checked. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please remove these entries from Add/Remove Programs in the Control Panel(if present):
Instafinder or InstaFink
Viewpoint
Please note any other programs that you dont recognize in that list in your next response

Please delete these folders using Windows Explorer(if present):
C:\Program Files\Viewpoint
C:\Program Files\InstaFinder or InstaFink
Please delete these files using Windows Explorer(if present):
C:\Windows\System32\wsaupdater.exe
C:\WINDOWS\systb.dll
C:\WINDOWS\system32\delwvtzi.dll
C:\WINDOWS\System32\tnrv.dll
C:\WINDOWS\System32\NDrv.dll
C:\WINDOWS\system32\gnexoedz.dll
C:\WINDOWS\System32\ruxiwvtq.exe
C:\documents and settings\garay9\local settings\temp\OiGVFyqi.exe
C:\WINDOWS\system32\??xplore.exe
Please do NOT confuse this with the legitimate similarly named file. Make sure to only delete the one with the question mark!

After that, Reboot.

3. Please download CleanUp! and run it to remove any leftover remnants of infection. Click the CleanUp button, and let it scan and select any files it needs to remove. Once it is done, exit the program.

4. Scan with HijackThis and post a fresh log here in a reply
  • 0

#3
live-wire

live-wire

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
This may sound crazy, but i'm really stupid when it comes to computers. I'm not sure how to put hijackthis on a permanent file. Would you be able to walk me through that, thanks for all your help, I really need it!

ps,
It's pretty sad
that I can't even
start the first step.


live-wire
  • 0

#4
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
no worries! I was the same way when I first joined another board two years ago! :tazz: I promise, I understand!! ;)

To create a permanent directory, double click on your My Computer icon on the desktop, or single click it from your Start menu. When that opens, double click your "C" drive. At the top, click on File>New>Folder. It will create a permanent folder, which will be highlighted so you can type over and rename it. You can just call it Hijackthis, or whatever you choose!


Now let's unzip HijackThis. Just in case, I will walk you through that too! If you don't already have a program such as WinZip, you can download a free trial version here. After it downloads, double click it to run the self-installer. After it installs, open the program. Click "Use evaluation version" then choose "next" , then "Unzip from an exisiting file". that will take you to a box that should search for all zipped files currently on your pc. If it does not, you can click the "search" button to navigate to the temp folder where winzip is. The next screen will ask you where you want it installed after it is unzipped. Click the "Select different folder" button, and it will let you navigate to the new folder you created. Then click "Unzip now" and there you have it!
  • 0

#5
live-wire

live-wire

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
ok that was easy. Now I ran highjack this and clicked on all the ones you told me to, but I didn't click fix, because I don't know how to restart in safemode. Not even sure I know what safemode is. :tazz:

again thanks for your patience!!!!

live-wire
  • 0

#6
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
You will click the Fix button while still in regular mode! Go ahead and scan with HJT again, and put checks next to all those entries. Then, make sure NO other programs are open, including the internet. Then, click Fix.

After you let HJT fix these items, you're going to reboot. During the reboot, as soon as it is done with the shutdown part, start tapping your F8 key at the top of the keyboard repeatedly. It will take you to a black screen, instead of your normal windows background. On the black sreen will be a few options listed in white, one of which is Safe Mode. Use your arrow keys to highlight Safe Mode, and then hit your Enter key. After it is done loading, you will be able to double click on My Computer (or My Documents, as necessary) and find the files and folders.

Don't worry if a few of them aren't there after you uninstall the programs! That's normal, and some of them may not be there due to the HJT fixes. Just delete all the ones that are there. When you're done, then proceed with the rest of the instructions!

I have to run to get groceries and such, and I"ll check back in about two hours from now!
  • 0

#7
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP