|
Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs |
|
Topic Tools |
#1
|
|||
|
|||
Hi Jack this log, weird downloads
Help!!! Here is my HI jack this log, Everytime I start up my computer, real download opens and immediately downloads something called "winhelp.exe", it is only 7kb in size, it also opens up a window that reads with a bunch of gibberish characters...please help if you can..Thanks
sincerely, A newbie in trouble!! :-) Logfile of HijackThis v1.97.7 Scan saved at 6:24:52 PM, on 1/5/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\sm56hlpr.exe C:\PROGRA~1\Grisoft\AVG6\avgserv.exe C:\WINDOWS\SYSTEM32\qttask.exe C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE C:\Program Files\RRMedic\RRMedic.exe C:\WINDOWS\System32\svchost.exe C:\My Download Files\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.iwon.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Roadrunner O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\system32\IETie.dll O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM32\NZDD.DLL O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file) O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime O4 - HKLM\..\Run: [BurnQuick Queue] C:\WINDOWS\BQTray.exe O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [DKTime] C:\WINDOWS\System32\dktime.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE" O4 - Global Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe O4 - Global Startup: Cloudmark SpamNet for OE.lnk = ? O4 - Global Startup: Microsoft.hta O4 - Global Startup: Road Runner Medic.lnk = C:\Program Files\RRMedic\RRMedic.exe O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM) O9 - Extra button: AIM (HKLM) O9 - Extra button: PartyPoker.com (HKLM) O9 - Extra 'Tools' menuitem: PartyPoker.com (HKLM) O9 - Extra button: Real.com (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Messenger (HKLM) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O15 - Trusted Zone: *.windupdates.com O16 - DPF: DigiChat Applet - http://host3.digichat.com/DigiChat/D.../Client_IE.cab O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/game...ts/y/ct2_x.cab O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.accesstimewarner.com/CFID...ses/CFJava.cab O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_fi...dceabcca450006 O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.co...884.6422569444 O16 - DPF: {D27CDB6E-11CF-96B9-4400-000000000000} - http://active.macromedia.com/flash3/cabs/swflash.cab O16 - DPF: {D27CDB6E-AE6D-0000-0000-000000000000} - http://download.macromedia.com/pub/s...sh/swflash.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{8519482F-5281-4B9E-B5E6-C9F1C6FF491E}: Domain = socal.rr.com |
#2
|
|||
|
|||
Hi
Make sure to run Adaware, Spybot S & D(check for updates) as these will do a preliminary malware clean first.Some files below may not be present after running the above programs. Then.... Turn off your System Restore SEE HERE Reinstate it when your log is cleaned and then create a new restore point.Close your browser window and run hjt in safe mode... HOW TO RUN SAFE MODE and have "Hijack This" fix all the following items in the list below by placing a check in the appropriate boxes and selecting "fix checked".If any EXE files have been selected go into HijackThis/Config/Misc/Tools/ and open process manager. Select the EXE files (if they are there) and click Kill process before deleting. Folders that have been highlighted RED in the log will need to be uninstalled.Check first as some folders maybe uninstalled via the Add/Remove program. Files highlighted in BLACK in the log will need to be removed from your hard drive. Make sure to have your system set to show hidden files and folders.. HOW TO SHOW FILES When done Download Cleanup and run it to clean out the temp folders ..Then pleaseget the latest HJT v1.99, reboot and post a new log when finished... O2 - BHO: (no name) - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\system32\IETie.dll O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM32\NZDD.DLL O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [DKTime] C:\WINDOWS\System32\dktime.exe O15 - Trusted Zone: *.windupdates.com O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...edceabcca450006 O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab |
#3
|
|||
|
|||
Hi ,
Do you use RealPlayer? I`ve included RealPlayer removal , just untill this is sorted. Please right-click the "Microsoft.hta " file in the C:\Documents and Settings\All Users\Start Menu\Programs\Startup folder. Choose "Send To" --> "Compressed (zipped)Folder". Send the zip file to mike@n21.co.nz, please Download latest HijackThis 1.99 from HERE It will auto install to C:\Program Files for you, just click on the "Unzip" button. Delete your old Hijackthis folder. Uninstall the following via the Add/Remove Programs ,if they exist: Viewpoint Manager Realplayer Print this , or copy to Notepad, Internet Explorer needs to be closed until final reboot. 2. Close ALL Internet Explorer Windows, only have HijackThis running. In HijackThis, Check the boxes for the below entries, then click on "Fix checked" O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file) O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [DKTime] C:\WINDOWS\System32\dktime.exe O4 - Global Startup: Microsoft.hta O4 - Global Startup: Road Runner Medic.lnk = C:\Program Files\RRMedic\RRMedic.exe O9 - Extra button: Real.com (HKLM) O9 - Extra button: PartyPoker.com (HKLM) O9 - Extra 'Tools' menuitem: PartyPoker.com (HKLM) O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...edceabcca450006 3. Reboot into Safe Mode...(reboot and tap F8 immediately after BIOS screen....choose Safe mode from menu) Make sure you can see Hidden Files and Folders --> How to show Hidden Files and Folders Then delete the below files and folders: C:\Program Files\Viewpoint<--- delete the Viewpoint folder C:\WINDOWS\System32\dktime.exe <--- delete the file C:\Program Files\Common Files\Real <--delete the Real folder Microsoft.hta <-- It will be in the -E:\Documents and Settings\All Users\Start Menu\Programs\Startup folder. winhelp.exe <-- do a SEARCH for the winhelp.exe file (7 KB), but do not delete the same name file that is 251KB in size...that is a windows file. If you find it, zip it up and send it to me also ,please. Reboot computer and post back a new HJT log v1.99 to this thread, please. Cheers. |
Bookmarks |
«
Previous Topic
|
Next Topic
»
Topic Tools | |
|
|
Similar Topics | ||||
Topic | Topic Starter | Forum | Replies | Last Post |
Please can someone help me with a hi-jack? | ian28 | Malware Removal | 13 | April 11th, 2006 06:09 PM |
Please help me, my computers gone weird, no backrounds, internet has a weird layout | oxygengiver2000 | Windows XP | 9 | March 16th, 2006 07:22 PM |
Weird weird problem. Making a connection? | T2A1B5 | Windows NT, 2000, 2003, 2008, 2012 | 2 | January 13th, 2006 02:56 PM |
hi jack this log--thanks for help!!! | oystergirl | Malware Removal | 0 | March 7th, 2005 10:49 PM |
help please, weird problem h-jack this log file provided | hrah03 | Malware Removal | 1 | September 21st, 2004 12:38 AM |
All times are GMT +1. The time now is 07:00 PM.