Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

I've been hit [resolved]


  • This topic is locked This topic is locked

#1
joyfulgirl72

joyfulgirl72

    Member

  • Member
  • PipPip
  • 29 posts
I've followed all the instructions that must be done before posting a HijackThis Log except Windows Update because I am getting Error On Page at the Windows Update Site. I also get a DirectX error at HouseCall and was unable to use that online scan. So here's my log... Thanks!!

Logfile of HijackThis v1.99.0
Scan saved at 10:47:14 PM, on 2/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\HijackThis.exe
c:\windows\explorer.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://gfhjkhgi.biz (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://gfhjkhgi.biz (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://gfhjkhgi.biz (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://gfhjkhgi.biz (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://allwebsearcher.com/
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {0DC8B1E4-0729-3647-7101-F971A1C5F906} - (no file)
O2 - BHO: (no name) - {0F9561D0-03B2-44a3-89A6-E95E417CBA25} - C:\WINDOWS\cerbmod.dll
O2 - BHO: (no name) - {2D2084F9-E569-C9DE-5C46-CFDE6E8998C7} - (no file)
O2 - BHO: (no name) - {451262D1-0B95-45B3-E4BD-86B43D1D3709} - C:\WINDOWS\System32\jfoghvox.dll (file missing)
O2 - BHO: (no name) - {4A5F5AB9-ECCF-A236-14B9-234FF1AFFBDD} - C:\WINDOWS\System32\yehjijea.dll (file missing)
O2 - BHO: (no name) - {79EE9DEB-2A1E-E6C4-4D17-7CF7EEDBB8A4} - C:\WINDOWS\System32\iwcsbtgq.dll (file missing)
O2 - BHO: (no name) - {8677671D-BCF2-5DD0-FC40-D41B24828D06} - C:\WINDOWS\System32\conrvttr.dll (file missing)
O2 - BHO: (no name) - {8DE76E0B-0D02-E3B1-8E7D-3C4A49F82287} - C:\WINDOWS\System32\vwnmzyyu.dll (file missing)
O2 - BHO: (no name) - {AF564B76-B26B-4A78-B10C-356FB8E53B78} - C:\WINDOWS\System32\edstwqso.dll (file missing)
O2 - BHO: (no name) - {B398EB80-0BE5-A853-7E3C-C705E882DAC4} - C:\WINDOWS\System32\abmfxhcf.dll (file missing)
O2 - BHO: (no name) - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\System32\snim.dll
O2 - BHO: (no name) - {BE386653-9524-5F8B-868A-038F404A36FC} - C:\WINDOWS\System32\prcmhhwf.dll
O2 - BHO: (no name) - {DCAC8F71-626E-8D10-2690-050C84064F12} - C:\WINDOWS\System32\opxvzeym.dll (file missing)
O2 - BHO: (no name) - {F338A274-E3E7-20AA-21A2-45A7A4F735C4} - C:\WINDOWS\System32\kaxnvpte.dll (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe snim.dll, DllRegisterServer
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [b3otRWH7Q] kaxontfs.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Windows.hta
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://www.otxresear...ia/OTXMedia.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop...irus/PitPav.cab
O18 - Filter: text/html - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\System32\snim.dll
O18 - Filter: text/plain - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\System32\snim.dll
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
  • 0

Advertisements


#2
joyfulgirl72

joyfulgirl72

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Some more info, this computer used to have SP2 but it's been uninstalled somehow... I have to use my other computer to even get to this site ;) ... Also, it gets horseserver redirects occasionally if I can even get online... :tazz: ...
  • 0

#3
plaszac

plaszac

    Member

  • Member
  • PipPipPip
  • 109 posts
have you got CWShredder?
Ad-aware?
spybot search and destroy ?
these you can link on to from here or you could do it via Download.com.
try and run these andthen post another log.
  • 0

#4
joyfulgirl72

joyfulgirl72

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts

have you got CWShredder?
Ad-aware?
spybot search and destroy ?
these you can link on to from here or you could do it via Download.com.
try and run these andthen post another log.

View Post


I ran those both before posting the log... :tazz:
  • 0

#5
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi joyfulgirl72

You have a nasty About:Blank infection. This fix requires several tools that need to be downloaded. Please download these now, we will run them later.

1) About:Buster - Download it and extract it to C:/aboutbuster.
2) CleanUp! - Download it and install it.
3) CWShredder 2.11 - Download it and save it to your desktop.
4) Ad-Aware - Download, install, and update.

Enable hidden files and folders: http://www.bleepingc...torial=62#winme

During the fix do NOT connect to the internet. Unless you can memorize these instructions, it would be a good idea to print them out.

Boot into safe mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Run AboutBuster
-Click Start to begin the process
-Click OK on the Buster Report dialogue box to start the scan
AboutBuster scans the computer for malicious files and deletes them.
Save the report (copy and paste into Notepad and save as a .txt file) to post a copy for review.

Run CWShredder
-Next, click on the: ‘Fix’ button
-Follow the prompts, and press OK

Run CleanUp
-Make sure it is on Standard Mode
-Click the "CleanUp!" button

Run Ad-Aware
-Configure Ad-Aware for a full system scan
-Run it

Clean Up the left overs

Run HJT, close any open windows, and fix the following items (if they are still there):

B]R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://gfhjkhgi.biz (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://gfhjkhgi.biz (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://gfhjkhgi.biz (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://gfhjkhgi.biz (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://allwebsearcher.com/
O2 - BHO: (no name) - {0DC8B1E4-0729-3647-7101-F971A1C5F906} - (no file)
O2 - BHO: (no name) - {0F9561D0-03B2-44a3-89A6-E95E417CBA25} - C:\WINDOWS\cerbmod.dll
O2 - BHO: (no name) - {2D2084F9-E569-C9DE-5C46-CFDE6E8998C7} - (no file)
O2 - BHO: (no name) - {451262D1-0B95-45B3-E4BD-86B43D1D3709} - C:\WINDOWS\System32\jfoghvox.dll (file missing)
O2 - BHO: (no name) - {4A5F5AB9-ECCF-A236-14B9-234FF1AFFBDD} - C:\WINDOWS\System32\yehjijea.dll (file missing)
O2 - BHO: (no name) - {79EE9DEB-2A1E-E6C4-4D17-7CF7EEDBB8A4} - C:\WINDOWS\System32\iwcsbtgq.dll (file missing)
O2 - BHO: (no name) - {8677671D-BCF2-5DD0-FC40-D41B24828D06} - C:\WINDOWS\System32\conrvttr.dll (file missing)
O2 - BHO: (no name) - {8DE76E0B-0D02-E3B1-8E7D-3C4A49F82287} - C:\WINDOWS\System32\vwnmzyyu.dll (file missing)
O2 - BHO: (no name) - {AF564B76-B26B-4A78-B10C-356FB8E53B78} - C:\WINDOWS\System32\edstwqso.dll (file missing)
O2 - BHO: (no name) - {B398EB80-0BE5-A853-7E3C-C705E882DAC4} - C:\WINDOWS\System32\abmfxhcf.dll (file missing)
O2 - BHO: (no name) - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\System32\snim.dll
O2 - BHO: (no name) - {BE386653-9524-5F8B-868A-038F404A36FC} - C:\WINDOWS\System32\prcmhhwf.dll
O2 - BHO: (no name) - {DCAC8F71-626E-8D10-2690-050C84064F12} - C:\WINDOWS\System32\opxvzeym.dll (file missing)
O2 - BHO: (no name) - {F338A274-E3E7-20AA-21A2-45A7A4F735C4} - C:\WINDOWS\System32\kaxnvpte.dll (file missing)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe snim.dll, DllRegisterServer
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [b3otRWH7Q] kaxontfs.exe
O4 - Global Startup: Microsoft Windows.hta
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://www.otxresear...ia/OTXMedia.dll
O18 - Filter: text/html - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\System32\snim.dll
O18 - Filter: text/plain - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\System32\snim.dll[/B]


Then delete the following files (if they exist):

C:\Program Files\MSN Messenger\MsnMsgr.Exe
kaxontfs.exe
C:\WINDOWS\System32\snim.dll[/B]
C:\WINDOWS\System32\kaxnvpte.dll

Reboot into normal mode (simply restart your computer as you normally would), and run the following free, online virus scans:

http://housecall.tre.../start_corp.asp
http://www.pandasoft...n_principal.htm

Then restart your computer one more time and post a new HJT log as well as the About:Buster log I asked you to save earlier.

Kc :tazz:
  • 0

#6
joyfulgirl72

joyfulgirl72

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Just wanted to apologize because I have been trying desperately to get the computer I posted the log about previously to boot up but keep getting a WINLOGON.EXE error and all it does is reboot after I hit OK, the only option. ;) From research I had done, that WINLOGON.EXE is a potential virus punning from a different location than the real WINLOGON.EXE which resides in the SYSTEM32 folder, but I was not able to find anything located elsewhere. I tried to repair the XP installation, to no avail... Before I began to get the boot errors, I had completed all the tips THATMAN posted (except the ones that were online scans) and things were looking pretty good, then the next day after work, I had downloaded motherboard drivers because my Network Adapter Driver had disappeared somehow, so I was all set to reinstall it but could not boot... So I am going to be trying to move all the settings and other files to the second partition and re-format the naughty partition and do a complete reinstall of everything tomorrow evening after work... It seems that the system was just a bit to far gone to be repaired. so I wanted to give an update and thank you to THATMAN for his help.... I will repost to give another status again after that stuff is all done, wish me luck... Anywho, I must say that throughout this experience, I certainly have learned a ton, so hopefuly in the future, I can help someone else if they experience the trouble I did... :tazz:
  • 0

#7
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi joyfulgirl72

Boot Disk - Windows XP (Home & Pro) boot disk 200K (7-July-2002)
If you are unable to boot up your Windows XP PC (XP Home or XP Professional), it may be because the boot sector has become corrupted (yet the operating system and data may still be OK). If that is the problem, then this boot disk will enable your PC to ignore the hard disk boot sector, and instead use the boot sector on this boot floppy in order to still boot successfully into Windows XP.

XPHome & Pro Boot Disk Click Here

When you have booted your PC post a HijackThis.log


kc :tazz:
  • 0

#8
joyfulgirl72

joyfulgirl72

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Thanks, thatman, unfortunately, I get the same error with the boot disk, but I am going to try again just for good measure... I don't want to press F2 for Automated System Recover, do I? :tazz:
  • 0

#9
joyfulgirl72

joyfulgirl72

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
My bad, I get the setup menu with three options and then I can login to my c:\WINDOWS drive if I want so I login with the admin password and only get a command line...
  • 0

#10
joyfulgirl72

joyfulgirl72

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Followed many tips but continuing to get the errors on boot after FIXBOOT and REBUILDING BOOTCFG and reloading boot files fom c:\windows\repair... Ugh...
  • 0

Advertisements


#11
joyfulgirl72

joyfulgirl72

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
So I took the hard drive out and put it in my working machine and am going to format and reinstall. No biggie, just wanted to update and thank THATMAN for his help! :tazz:
  • 0

#12
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi joyfulgirl72

That will clean out what ever it was causing the problem.

Hope you will use geekstogo again

All the best

Kc :tazz:
  • 0

#13
joyfulgirl72

joyfulgirl72

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
So sorry to keep revisiting this, but I formatted in Recovery Console using format command --- format c: fs:FAT32 and reinstalled Win XP but Documents and settings folder was still out there after the format :tazz: The command went through for about 30-45 minutes and said that all data would be lost! So it seemed all fine for a day or so but now Internet Explorer is sooooooo slow... I've scanned with AdAware, Spybot, CWS Shredder and AVG for AV turning up nothing major except a tracking cookie here and there, no weird processes running... I was amazed that the filed remained, but wasn't somplaining because it made my system recovery faster than having to try to get them from CD... Now I'm just not so sure things went so well I will post another HJT Log as soon as I can get the page to load... ;)
  • 0

#14
joyfulgirl72

joyfulgirl72

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
BTW since I've reinstalled, I've gotten up to SP2 and thought I was going to be A-OK... Oh dear! :tazz:
  • 0

#15
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi joyfulgirl72


Just post back to this topic when you are ready. ;)

Kc :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP