Go Back   Cyber Tech Help Support Forums > Software > Malware Removal

Notices

Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs

Reply
 
Topic Tools
  #1  
Old January 6th, 2005, 03:25 AM
Fredman1138 Fredman1138 is offline
New Member
 
Join Date: Sep 2004
Posts: 29
Hi Jack this log, weird downloads

Help!!! Here is my HI jack this log, Everytime I start up my computer, real download opens and immediately downloads something called "winhelp.exe", it is only 7kb in size, it also opens up a window that reads with a bunch of gibberish characters...please help if you can..Thanks

sincerely,
A newbie in trouble!! :-)

Logfile of HijackThis v1.97.7
Scan saved at 6:24:52 PM, on 1/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\sm56hlpr.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\SYSTEM32\qttask.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
C:\Program Files\RRMedic\RRMedic.exe
C:\WINDOWS\System32\svchost.exe
C:\My Download Files\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.iwon.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Roadrunner
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\system32\IETie.dll
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM32\NZDD.DLL
O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BurnQuick Queue] C:\WINDOWS\BQTray.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [DKTime] C:\WINDOWS\System32\dktime.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
O4 - Global Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Global Startup: Cloudmark SpamNet for OE.lnk = ?
O4 - Global Startup: Microsoft.hta
O4 - Global Startup: Road Runner Medic.lnk = C:\Program Files\RRMedic\RRMedic.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: PartyPoker.com (HKLM)
O9 - Extra 'Tools' menuitem: PartyPoker.com (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.windupdates.com
O16 - DPF: DigiChat Applet - http://host3.digichat.com/DigiChat/D.../Client_IE.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/game...ts/y/ct2_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.accesstimewarner.com/CFID...ses/CFJava.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_fi...dceabcca450006
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.co...884.6422569444
O16 - DPF: {D27CDB6E-11CF-96B9-4400-000000000000} - http://active.macromedia.com/flash3/cabs/swflash.cab
O16 - DPF: {D27CDB6E-AE6D-0000-0000-000000000000} - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8519482F-5281-4B9E-B5E6-C9F1C6FF491E}: Domain = socal.rr.com
Reply With Quote
  #2  
Old January 6th, 2005, 07:09 AM
Pancake Pancake is offline
CTH Subscriber
 
Join Date: Jan 2004
Location: Australia
Posts: 11,317
Hi

Make sure to run Adaware, Spybot S & D(check for updates) as these will do a preliminary malware clean first.Some files below may not be present after running the above programs.

Then....
Turn off your System Restore SEE HERE Reinstate it when your log is cleaned and then create a new restore point.Close your browser window and run hjt in safe mode... HOW TO RUN SAFE MODE and have "Hijack This" fix all the following items in the list below by placing a check in the appropriate boxes and selecting "fix checked".If any EXE files have been selected go into HijackThis/Config/Misc/Tools/ and open process manager. Select the EXE files (if they are there) and click Kill process before deleting.

Folders that have been highlighted RED in the log will need to be uninstalled.Check first as some folders maybe uninstalled via the Add/Remove program.

Files highlighted in BLACK in the log will need to be removed from your hard drive.

Make sure to have your system set to show hidden files and folders.. HOW TO SHOW FILES
When done Download Cleanup and run it to clean out the temp folders ..Then pleaseget the latest HJT v1.99, reboot and post a new log when finished...

O2 - BHO: (no name) - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\system32\IETie.dll
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM32\NZDD.DLL
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [DKTime] C:\WINDOWS\System32\dktime.exe
O15 - Trusted Zone: *.windupdates.com
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...edceabcca450006
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
Reply With Quote
  #3  
Old January 6th, 2005, 07:18 AM
mike mike is offline
CTH Subscriber
 
Join Date: Sep 2000
Posts: 3,302
Hi ,
Do you use RealPlayer?
I`ve included RealPlayer removal , just untill this is sorted.

Please right-click the "Microsoft.hta " file in the C:\Documents and Settings\All Users\Start Menu\Programs\Startup folder.
Choose "Send To" --> "Compressed (zipped)Folder".
Send the zip file to mike@n21.co.nz, please

Download latest HijackThis 1.99 from HERE
It will auto install to C:\Program Files for you, just click on the "Unzip" button.
Delete your old Hijackthis folder.


Uninstall the following via the Add/Remove Programs ,if they exist:
Viewpoint Manager
Realplayer

Print this , or copy to Notepad, Internet Explorer needs to be closed until final reboot.

2.
Close ALL Internet Explorer Windows, only have HijackThis running.
In HijackThis, Check the boxes for the below entries, then click on "Fix checked"

O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [DKTime] C:\WINDOWS\System32\dktime.exe

O4 - Global Startup: Microsoft.hta

O4 - Global Startup: Road Runner Medic.lnk = C:\Program Files\RRMedic\RRMedic.exe

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: PartyPoker.com (HKLM)

O9 - Extra 'Tools' menuitem: PartyPoker.com (HKLM)

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...edceabcca450006

3.
Reboot into Safe Mode...(reboot and tap F8 immediately after BIOS screen....choose Safe mode from menu)
Make sure you can see Hidden Files and Folders --> How to show Hidden Files and Folders

Then delete the below files and folders:

C:\Program Files\Viewpoint<--- delete the Viewpoint folder

C:\WINDOWS\System32\dktime.exe <--- delete the file

C:\Program Files\Common Files\Real <--delete the Real folder

Microsoft.hta <-- It will be in the -E:\Documents and Settings\All Users\Start Menu\Programs\Startup folder.

winhelp.exe <-- do a SEARCH for the winhelp.exe file (7 KB), but do not delete the same name file that is 251KB in size...that is a windows file.
If you find it, zip it up and send it to me also ,please.

Reboot computer and post back a new HJT log v1.99 to this thread, please.

Cheers.
Reply With Quote
Reply

Bookmarks

Topic Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Topics
Topic Topic Starter Forum Replies Last Post
Please can someone help me with a hi-jack? ian28 Malware Removal 13 April 11th, 2006 06:09 PM
Please help me, my computers gone weird, no backrounds, internet has a weird layout oxygengiver2000 Windows XP 9 March 16th, 2006 07:22 PM
Weird weird problem. Making a connection? T2A1B5 Windows NT, 2000, 2003, 2008, 2012 2 January 13th, 2006 02:56 PM
hi jack this log--thanks for help!!! oystergirl Malware Removal 0 March 7th, 2005 10:49 PM
help please, weird problem h-jack this log file provided hrah03 Malware Removal 1 September 21st, 2004 12:38 AM


All times are GMT +1. The time now is 07:00 PM.