Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Hi jack this log help please

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Hi jack this log help please

Unread postby cdebru » June 18th, 2005, 5:34 pm

Logfile of HijackThis v1.99.1
Scan saved at 22:12:26, on 18/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\kernels32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\Gsi.exe
C:\WINDOWS\System32\lsas.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\sessmgr.exe
C:\Program Files\SECRETMAKER\secretmaker.exe
C:\WINDOWS\System32\vxh8jkdq7.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\John\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\John\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Jenni\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels32.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {38D4D5D0-423E-4220-B6F9-30918C2AE4A4} - C:\WINDOWS\frennk.dll
O2 - BHO: (no name) - {A0269420-A638-4509-889C-8FC3CC85DA7E} - C:\WINDOWS\drexinit.dll
O2 - BHO: IeHelper Class - {A491D208-B353-490F-B81A-A8A3DC97042D} - C:\WINDOWS\System32\smiehlp.dll
O2 - BHO: (no name) - {F16FC0E1-FA9C-4106-8AB4-794E57DF35E1} - C:\WINDOWS\System32\ghah.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Csl] C:\WINDOWS\System32\Ipo.exe
O4 - HKLM\..\Run: [Hsr] C:\WINDOWS\Gsi.exe
O4 - HKLM\..\Run: [Shellspl] lsas.exe
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\John\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\Run: [Aki] C:\WINDOWS\System32\Uht.exe
O4 - HKLM\..\Run: [Akh] C:\WINDOWS\System32\Kjh.exe
O4 - HKLM\..\Run: [Eko] C:\WINDOWS\System32\Ren.exe
O4 - HKLM\..\Run: [Scs] C:\WINDOWS\Hoh.exe
O4 - HKLM\..\Run: [Crl] C:\WINDOWS\System32\Iof.exe
O4 - HKLM\..\Run: [Vus] C:\WINDOWS\Gmf.exe
O4 - HKLM\..\Run: [Lgk] C:\WINDOWS\Lmd.exe
O4 - HKLM\..\Run: [Fdk] C:\WINDOWS\System32\Ook.exe
O4 - HKLM\..\Run: [Hii] C:\WINDOWS\System32\Svp.exe
O4 - HKLM\..\Run: [Vrd] C:\WINDOWS\Mme.exe
O4 - HKLM\..\Run: [Arf] C:\WINDOWS\Gtt.exe
O4 - HKLM\..\Run: [Eme] C:\WINDOWS\Mso.exe
O4 - HKLM\..\Run: [Kjh] C:\WINDOWS\Foh.exe
O4 - HKLM\..\Run: [Mrf] C:\WINDOWS\System32\Vsj.exe
O4 - HKLM\..\Run: [Ioi] C:\WINDOWS\System32\Hgn.exe
O4 - HKLM\..\Run: [Hlj] C:\WINDOWS\Rjl.exe
O4 - HKLM\..\Run: [Mna] C:\WINDOWS\System32\Bgc.exe
O4 - HKLM\..\Run: [Iji] C:\WINDOWS\System32\Fbh.exe
O4 - HKLM\..\Run: [Rog] C:\WINDOWS\System32\Gat.exe
O4 - HKLM\..\Run: [Sib] C:\WINDOWS\Sln.exe
O4 - HKCU\..\Run: [Csl] C:\WINDOWS\System32\Ipo.exe
O4 - HKCU\..\Run: [Hsr] C:\WINDOWS\Gsi.exe
O4 - HKCU\..\Run: [Aki] C:\WINDOWS\System32\Uht.exe
O4 - HKCU\..\Run: [Akh] C:\WINDOWS\System32\Kjh.exe
O4 - HKCU\..\Run: [Eko] C:\WINDOWS\System32\Ren.exe
O4 - HKCU\..\Run: [Scs] C:\WINDOWS\Hoh.exe
O4 - HKCU\..\Run: [Crl] C:\WINDOWS\System32\Iof.exe
O4 - HKCU\..\Run: [Vus] C:\WINDOWS\Gmf.exe
O4 - HKCU\..\Run: [Fdk] C:\WINDOWS\System32\Ook.exe
O4 - HKCU\..\Run: [Vrd] C:\WINDOWS\Mme.exe
O4 - HKCU\..\Run: [Eme] C:\WINDOWS\Mso.exe
O4 - HKCU\..\Run: [Mrf] C:\WINDOWS\System32\Vsj.exe
O4 - HKCU\..\Run: [Hlj] C:\WINDOWS\Rjl.exe
O4 - HKCU\..\Run: [Iji] C:\WINDOWS\System32\Fbh.exe
O4 - HKCU\..\Run: [Sib] C:\WINDOWS\Sln.exe
O4 - Global Startup: SECRETMAKER.lnk = C:\Program Files\SECRETMAKER\secretmaker.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 3136449291
O18 - Filter: text/html - {98E52DCA-E258-4DBD-A00B-6E6ECC279045} - C:\WINDOWS\System32\ghah.dll
O18 - Filter: text/plain - {98E52DCA-E258-4DBD-A00B-6E6ECC279045} - C:\WINDOWS\System32\ghah.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
cdebru
Active Member
 
Posts: 2
Joined: June 18th, 2005, 5:29 pm
Advertisement
Register to Remove

Unread postby wng_z3r0 » June 18th, 2005, 5:38 pm

Hi! :)
I go by wng_z3r0 here. I would be glad to help you with your computer problems.
HijackThis logs take awhile to research. Please be patient with me. I know that you want your problems solved quicky, and I will work hard to help you.

Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.

If you can do those two things, everything should go smoothly :D

Let's get to it then,

To start with I would like you to do this

Please delete your temporary files by deleting all files and folders that are in those folders (do not delete the temp folder itself) like for example
C:\WINDOWS\Temp\
C:\Temp\
C:\Documents and Settings\username\Local Settings\Temp\
Also delete your Temporary Internet Files, be sure to also select delete all offline content.

Do a virus scan here.
If you get report of files that can’t be cleaned / deleted please write down the filenames and locations and post that in your reply.

Then please do this since it’s better to use automated tools to get rid of the bad stuff use these 2 programs first before doing the final cleaning with HJT

First is Spybot S & D available from here.

1. Downloaded and Install Spybot S&D, accepting the Default Settings

2. In the Menu Bar at the top of the Spybot window you will see 'Mode'. Make certain that 'default mode' has a check mark beside it.

3. Close ALL windows except Spybot S&D

4. Click the button to ‘Search for Updates’ then download and install the Updates.

5. Next click the button ‘Check for Problems'

6. When Spybot is complete, it will be showing ‘RED’ entries bold 'Black' entries and ‘GREEN’ entries in the window

7. Make certain there is a check mark beside all of the RED entries ONLY.

8. Choose ‘Fix Selected Problems’ and allow Spybot to fix the RED entries.

9. REBOOT to complete the scan and clear memory.


Download Ad-aware Second Edition here and install it. If you already have Ad-aware Second Edition skip to the next step.

Open adaware and Click the "Check for updates now" line on the main screen. CLick the "Connect" button on the webupdate screen.

If an update is available download it and install it. Click the "Finish" button to go back to the main screen.

Click on the "Settings" button (gear symbol in the upper right corner of the main status screen) in the quick launch toolbar to open the General settings screen. Make sure the "Automatically quarantine objects prior to removal" setting is checked green and then click "Proceed" to save your changes.

Click the "Scan now" button in the main menu on the left side of the main status screen or use the "Start" button in lower right corner. This will open the Preparing System Scan screen. Please deselect "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat. Leave the option for low-risk threats unchecked also. Then select "Use custom scanning options" and click "CUstomize". This will open the "Scan Settings Page. Make sure all of the following are On with a green checkmark:

  • Scan within archives

Then click on the "Tweak" Button to open up the tweak settings.

Open up the Scanning Engine section and make sure all of the following are On with a green checkmark:
  • Scan registry for all users instead of current user only
Make sure the following is unchecked with a red X:
  • Unload recognized processes & modules during scan.
Open up the Cleaning Engine section and make sure all of the following are On with a green checkmark:

  • Always try to unload modules before deletion
  • During Removal, unload Explorer and IE if necessary
  • Let Windows remove files in use at next reboot.

Click the "Proceed" button to save settings. Click next to begin the scan. When the scan is completed, the Performing System Scan screen will change name to "Scan Complete".

Click the "Next" button to get to the Scanning Results screens where more information about the objects detected during the scan is available. Click the Critical Objects Tab. In general all of the items listed will be bad. To fix all the bad critical objects, right click on one of them to open up the selection screen. Click the "Select All" button to select all entries. Then all are selected Click "Next" and then "OK" in the pop-up window to confirm the removal.

Run the scan, and then reboot.

Then post a new HJT log as a reply to this topic.
Last edited by wng_z3r0 on June 18th, 2005, 5:49 pm, edited 1 time in total.
User avatar
wng_z3r0
Admin/Teacher Emeritus
 
Posts: 4282
Joined: March 6th, 2005, 8:22 pm

Unread postby cdebru » June 18th, 2005, 5:41 pm

thank you wng_z3r0 for your help
cdebru
Active Member
 
Posts: 2
Joined: June 18th, 2005, 5:29 pm

Unread postby Nellie2 » July 13th, 2005, 2:40 pm

Hi there cdebru

Are your problems resolved? You didn't post a fresh hijackthis log for wng_z3r0 to check over for you. :shock:
User avatar
Nellie2
Administrator Emeritus
 
Posts: 8737
Joined: December 16th, 2004, 5:01 pm
Location: UK

Unread postby Nellie2 » July 29th, 2005, 10:19 am

Whilst we appreciate that you may be busy, it has been 14 days or more since we heard from you.

Infections can change and fresh instructions will now need to be given. This topic is now closed, if you still require assistance then please start a new topic in the Malware Removal Forum

If you wish this topic reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

The help you receive here is free, but you can help support this site from this link if you wish:
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
Nellie2
Administrator Emeritus
 
Posts: 8737
Joined: December 16th, 2004, 5:01 pm
Location: UK
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 305 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware