1
   

help! hijackthis log

Forums: Computers
Email this Topic Print this Page
 
 
freakstyle28
 
Reply Thu 16 Mar, 2006 11:04 pm
I think I've been invaded by some spyware installation program, because I'm getting consistent popups on the taskbar saying "so and so is trying to install" or "critical: something trying to install", in which case I always have to click "block" or "remove now". And I'm pretty sure it was my fault, because admittedly, I was online looking for pictures from the '06 SI Swimsuit Issue of Maria Sharapova and clicked some "video" link, in which case it asked if I would allow a program to run or not. I know, that shoulda been an obvious one. Don't know what I was thinking, or if I even was.

Anyway, here's the hijackthis log. I'll be sure to run Ad-aware, Microsoft AntiSpyware, and my antivirus after I figure out what things to get rid of.

I hate when I do something stupid like this.

C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\svjecylA.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\slk8x2peu.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AIM\aim.exe
C:\WINDOWS\SYSTEM32\RAMASST.exe
c:\windows\system32\qkdsregn.exe
C:\Documents and Settings\Jon\My Documents\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.centralva.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Centralva.net
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;http://localhost;<local>
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Yvakt Class - {DAAC59E5-093D-4D24-A105-55BFE4ACDE14} - C:\WINDOWS\system32\w9seq.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [svjecylA] C:\WINDOWS\svjecylA.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [Installed] 170
O4 - HKLM\..\Run: [q8lg] "C:\WINDOWS\system32\slk8x2peu.exe"
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\SYSTEM32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.centralva.net
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,15/mcgdmgr.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O18 - Filter: text/html - {CEA53356-C414-4331-A35E-AA4CE9D8DFA2} - C:\WINDOWS\system32\w9seq.dll
O20 - AppInit_DLLs: repairs303169551.dll
O20 - Winlogon Notify: Explorer - C:\WINDOWS\system32\nkprovau.dll (file missing)
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\svjecyl.exe
  • Topic Stats
  • Top Replies
  • Link to this Topic
Type: Discussion • Score: 1 • Views: 751 • Replies: 2
No top replies

 
timberlandko
 
  1  
Reply Fri 17 Mar, 2006 01:13 pm
You're sorta putting the cart infront of the horse there, freakstyle. You should do some serious cleanup and hardening before using HJT to "Fix" anything; it does a good job of revealing nasties, but many things it finds first time around it really can't "Fix", because of the way the current crop of nasties hide, protect, and rebuild themselves.

Nevermind Windows Antispyware; its been replaced by Windows Defender (Beta 2). If you have Microsoft Antispyware, uninstall it, then search-for-and delete its folder (which should be in %systemroot%\Program Files, where "%systemroot% is your root drive, the drive on which Windows is installed, usually "Drive C:\"). Then per the instructions on Defender's download page, download, install, update, and configure the application. When you have finished, don't run it, just close it, as directed below in the detailed preliminary proceedure.

The following proceedure is an up-to-date, integrated series of steps designed to preliminarily clean your system (though some cleanup may remain to be done after the first runthrough, which is why the follow-up logs and reports are requested) and to harden it against future infestations. It should be implemented in the order and manner listed. Its tedious, nit-picky, and time-consuming, but it is proven safe, effective, and reliable. Getting rid of yuckware is much more hassle than getting it in the first place, and taking the time and effort to prevent it once you've managed to get rid of it is time and effort well invested.

If you choose to give this method a shot, you should print out these instructions, as the proceedure will require that your machine be offline for several of the steps. Be certain you understand what to do, and how and in what order to do it. If you're unsure of, or have trouble with, anything here, please ask before going on. Also, if any of the supplied links don't work, please let me know.

  1. First, gather the downloads and perform the installations and updates as recommended. Just download, install, update and configure these applications, DO NOT RUN ANY OF THEM YET, unless specifically directed otherwise.

  2. Configure Windows Explorer to Show All Files


  3. Be certain you have the latest version of HiJackThis, and that it is installed to a folder of its own either in your Programs file or directly on your root drive (the drive on which Windows is installed, usually "Drive C:\"). If you have already installed HiJackThis, be certain its in its own correctly placed folder, not a user-specific, temporary or desktop folder (to place HJT in its own folder, open Windows Explorer - Windows key + E - locate and select your root drive, the drive on which Windows is installed, and open that folder, right-clicking anywhere in that folder's blank space, select "New">"Folder", name the new folder "HJT", then download and extract, or if you already have the latest version somewhere else move, HJT into that folder). Launch the application, then, from its splash screen, choose "Miscellaneous Tools", or from the main start page, select "Config", then select "Search for updates online", confirm, and be sure your's is the latest version. Don't run a scan or fix anything yet. When running HiJackThis to scan or fix things, run it from its own folder, WITH NO OTHER BROWSERS, WINDOWS, FILESHARING, EMAIL, OR MESSAGING APPLICATIONS OPEN OR RUNNING

  4. Go to Windows Update and check to make certain there are no outstanding Service Packs or High-Priority Updates for your operating system and/or Internet Explorer.

  5. Run the online version of the Microsoft Windows Malicious Software Removal Tool.

  6. Download, install, and update Windows Defender (Beta 2) (this is the successor to Microsoft Antispyware). Be sure to read, understand, and follow the download, installation, and update instructions available on the download page. Do not run the application's scan yet, just download, install, and update it.

  7. Download, install, and update Ewido Anti-malware (the successor to Ewido Security Suite). Again, read, understand, and follow the download, installation, and update instructions available on the download page, and don't run the application's scan yet, just download, install, and update it. Note: when installing/configuring the trial version, do not select the automatic update or real-time protection options.


  8. Download, install, and update Ad-Aware SE Personal. Just install and update it (when the program has installed, click the blue-green "Planet" icon, second from the right at the top of the screen, to run the auto-update function, and follow the prompts to update the application); don't run a scan yet.

    • When it has updated, click on the orange-ish "Gear Icon" (second-from the left at the top right-hand side of the window) to open the Ad-Aware configuration utility.

    • Under the "General" tab, all radio buttons should be green; if not, click to activate them.

    • Click the "Scanning" bar at the left of the page. Under "Drivers, Folders & Files", only the "Scan within archives" button should be green. Under "Memory & Registry", all buttons should be green.

    • Click the "Advanced" bar. Under "Shell Integration", "Move deleted files to Recycle Bin" should be green, and its your call whether you want to add "Scan with Ad-Aware to Explorer".

    • Under "Logfile Detail Level", all 3 buttons should be green.

    • Under "Alternate Data Streams", both buttons should be red.

    • Skip the "Startup", "Default", and "Interface" bars for now.

    • Click the "Tweak" bar. Click the plus-sign to open "Scanning Engine". "Unload recognized processes ... ", "Obtain command line ... ", and ""Scan registry for all users ... " should be green, "Run scan as background ...", "Ignore spanned files ...", and "Use permanent ... " may be left red.

    • Click to open "Cleaning Engine". The first 5 buttons should be green ("Automatically check ...", "Always try ...", "During removal ... ", "Let Windows remove ... ", and "Delete quarantined ..."} should be green, the remaining 3 ("Suppress warning ...", "Suppress progress ..." and "Disable manual ...") should be red.

    • Skip the remaining bars, click "Proceed", then close Ad-Aware WITHOUT RUNNING A SCAN.

    • With Ad-Aware closed, download LavaSoft's VX2 Cleaner Plugin, and install it per instructions found on the download page. read the instructions carefully so you'll know how to run the plugin when required. Do not run it, or Ad-Aware SE Personal, yet; just exit back to your desktop.



  9. Download LSP-Fix. Just download it to a convenient-to-find place on your machine (A suitably named new folder your desktop is fine for now); it may or may not be needed, but if it is needed, you'll want to find it easily. Sometimes removal of yuckware will result in your not being able to connect to the internet. If this happens, LSP-Fix should take care of the problem. Be sure to read and understand (good idea to print out) the application's DOCUMENTATION so you know what to do if it becomes necessary.

  10. Download, install, and update Spybot S&D. Just install and update it (when it installs, the program will give you the option to "Download all updates" - let it do so), don't run it yet.
    • When the program has been installed and updated, select "Immunize", click the green "+" plus-sign symbol at the top of the page to install Spybot's immunization, and follow any prompts.
    • On that same page, click to place a checkmark in the "Browser Helper to block bad downloads ... " button, then, from the dropdown below that, select "Block all bad pages silently".
    • DO NOT SELECT Spybot S&D's "TeaTimer" option at this time.
    • While you have Spybot open it would be a good time to read the tutorial available under the Help file at the top left-hand corner of the page. When done, don't run a scan yet, just close the application.


  11. Download CWShredder, and unzip it to your desktop, but don't run it yet.

  12. Download, install, and update CCleaner[/i][/u] per the instructions on the download page. Just download, install, and update it, don't do anything with it yet; we'll be using it a a few times later in this process.

  13. Download, install, and update Javacool Software's SpyWareBlaster. When the update has completed, select "Enable all protection", and exit back to your desktop. SpywareBlaster does not need to be running for its protection to be active, but you should should launch it at least weekly to check for updates. Read the FAQ HERE

  14. Download the latest version of McAfee/AVERT Stinger - read and understand the instructions for running it, but don't run it yet, just download it to a convenient-to-find location such as an appropriately named folder on your desktop.

  15. Update your own resident anti-virus application, but do not run a scan with it yet; just update it and close the application.

  16. Now, per the instructions for your own resident antivirus and other security/privacy software, and with no other browsers or chat, messaging, or email clients open or running, DISABLE your resident anti-virus and other security/privacy software, then immediately go to TrendMicro HouseCall Free Online Scan and, per the instructions, run the free scan-and-clean process. If when it has finished, it reports it detected but did not remove something, please make careful, exact verbatim note of the item(s) reported - save it to report back here when the time comes.

  17. When you have completed the TrendMicro scan-and-clean, locate and launch CCleaner, and have it run a full cleanup only (do not do anything with "Issues" or "Tools" at this time).

  18. When that has completed, reboot your machine, and, with your resident antivirus and other security/privacy software disabled and no other browsers or chat, messaging, or email clients open or running, go to Panda Free Online Scan, and run the free online scan-and-clean available there. Please save the report it will generate when it has completed; we'll want to see that when the time comes.

    IMPORTANT: DISABLE ANY OTHER ANTIVIRUS YOU MAY HAVE ON YOUR MACHINE BEFORE RUNNING ANY OF THE ONLINE SCANS. Also, if you have any popup blocking, adblocking, or actively running antispyware application, disable those as well; they can interfere with online virus scans. Should an online scan report it has detected something it cannot repair or remove, please copy the exact message received, being sure to note the entire name and path of any file mentioned, and save it to post here at the appropriate time.

  19. When that has been done, locate and launch CCleaner once more, again running a full scan-and-clean only.

  20. When that has completed, Boot Into Safe Mode. The following steps are to be carried out in safe mode until the series is completed, and you are advised to reboot normally. If at any time during the process you do reboot, boot back into safemode before proceding with the next step.

  21. Locate and launch Stinger; have it scan-and-clean your system per its instructions. When it has completed, reboot into Safe Mode and run it again. Do not reboot.

  22. While in Safe Mode, locate and launch your own resident antivirus and run a full system scan-and-clean with it. When that has completed, do not reboot.

  23. Next, while still in Safe Mode, locate, launch, and run CWShredder. Select "Fix" and let it run to completion. When it has completed, regardless what it reports, run it in its "Fix Mode" again. Do not reboot.

  24. When that has completed, and while in Safe Mode, locate and launch Ewido Anti-malware, and run a full system scan-and-clean. Have it "Fix" whatever it finds. Please save the report it will generate when it has completed; we will want to see that when the time comes.

  25. When that has completed, and while in Safe Mode, locate and launch Windows Defender, and run a full system scan-and clean with it, having it "Fix" whatever it finds. Again, when it has completed, and while in safe mode, run it a second time.

  26. When that has completed, locate and launch Ad-Aware SE, select and run the VX2 Cleaner Plugin per instructions. When the plugin has completed, run it again. Now, again without rebooting, or if you have rebooted, while running in Safe Mode, run a full-system scan-and-clean with Ad-Aware SE, directing it to remove everything it finds. Once again, without rebooting, run a second full-system scan-and-clean with Ad-Aware SE.

  27. Following the second run of Ad-Aware SE, locate and launch CCleaner once more, and again run a full scan-and-cleanup only.

  28. Now, reboot normally, but DO NOT ALLOW YOUR MACHINE TO CONNECT TO THE INTERNET. If necessary, physically disconnect the cable between your machine and your internet access device or shut off your Wireless Gateway.

  29. When your machine has rebooted, and not connected to the internet, be certain your own resident anti-virus and any other security/privacy software is disabled, then run full system scan and clean proceedures with, in this order:

    • CWShredder
    • Ewido Anti-malware (Note: Again please save the report generated when the application has completed)
    • Windows Defender
    • Ad-Aware SE (Note: Please also run Ad-Aware SE's VX2 Cleaner pluigin once more as well)
    • Spybot S&D (Note: Have Spybot S&D "Fix" everything it reports found which it lists in RED, items listed in GREEN are non-critical and your call)
    • CCleaner


  30. Now, reboot normally once more, and without allowing your machine to connect to the internet, locate and launch HiJackThis. Before running a scan, please have it generate a Startup List by going to the "Miscellaneous Tools" page, placing a checkmark in each of the 2 boxes next to the "Generate StartupList Log" button, then click the button and save the generated report. When that has completed, WITH NO OTHER BROWSERS, WINDOWS, FILESHARING, EMAIL, OR MESSAGING APPLICATIONS OPEN OR RUNNING, click the "Back" button, and have HiJackThis run a scan-and-save-log only - DO NOT "FIX" anything yet.

  31. When that has completed, make sure your resident anti-virus and other security/privacy software are enabled, connect to the internet, navigate back to this thread, and post
    • The Panda ActiveScan Report
    • Both the 1st and 2nd Ewido Anti-Malware reports
    • Any error messages or "Could not remove" reports you may have encountered, if any - please report these verbatim, exactly as they appeared.
    • The HiJackThis StartupList Log
    • The HiJackThis Scan Log


You may find it convenient to click "Turn on email updates" down at the bottom right of this page; doing so will cause a notification to be sent to the address you registered with A2K whenever this topic receives a reply.
0 Replies
 
Bella Dea
 
  1  
Reply Fri 17 Mar, 2006 01:30 pm
Timber,
You should put a disclaimer on these instructions:

"While these steps will effectively remove nasties from your computer, please be advised that it will take you 38 hours to complete."

Laughing

Man, some of those deep scans take forever! Laughing
0 Replies
 
 

Related Topics

Super cool computer tricks, for dopes like me. - Discussion by OCCOM BILL
Clone of Micosoft Office - Question by Advocate
Do You Turn Off Your Computer at Night? - Discussion by Phoenix32890
The "Death" of the Computer Mouse - Discussion by Phoenix32890
Windows 10... - Discussion by Region Philbis
Surface Pro 3: What do you think? - Question by neologist
Windows 8 tips thread - Discussion by Wilso
Mac help/can't install new printer, don't remember passwd - Discussion by ossobuco
GOOGLE CHROME - Question by Setanta
.Net and Firefox... - Discussion by gungasnake
Hacking a computer and remote access - Discussion by trying2learn
 
  1. Forums
  2. » help! hijackthis log
Copyright © 2025 MadLab, LLC :: Terms of Service :: Privacy Policy :: Page generated in 0.05 seconds on 08/09/2025 at 02:20:42