• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
StumpedNeedHelp

Please Review My Log

9 posts in this topic

I experienced some weird downloads and now a lot of little processes and unknown activity seems to be sneaking its way onto my computer. I have done my best to clean it up using Ad-aware, Spybot, hijackthis, and cwshredder. There were hundreds of problems to be fixed.

 

Unfortunately, i can't run TrojanHunter anymore, since it keeps telling me my trial period has expired (even when i reinstalled).

 

So, please review my Hijackthis log and tell me what seems out of place.

 

And..um.. if you can, tell me if i am missing something, i might have deleted too much. if something i should have seems MIA, please let me know where i can get it from.

 

PS- I seem to have lost

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

How can i get it back?

 

Logfile of HijackThis v1.97.7

Scan saved at 11:28:50 PM, on 7/27/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\SmartDisk\FlashPath\sdstat.exe

C:\Palm\HOTSYNC.EXE

C:\WINDOWS\System32\wuauclt.exe

C:\WINDOWS\System32\Olu59bR.exe

C:\WINDOWS\System32\VcbNV.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\TEMP\Rem4.exe

C:\Documents and Settings\John\My Documents\For Bill\HijackThis.exe

 

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

O4 - HKLM\..\Run: [siSUSBRG] C:\WINDOWS\SiSUSBrg.exe

O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [4LQHPC64W54N#N] C:\WINDOWS\System32\Fah1q5.exe

O4 - HKLM\..\Run: [MATHGLOBAL] C:\PROGRA~1\Each Heart Curb\Second Wait.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Global Startup: FlashPath Monitor.lnk = C:\Program Files\SmartDisk\FlashPath\sdstat.exe

O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Edited by StumpedNeedHelp

Share this post


Link to post
Share on other sites

ok. Its late and i was a little vague with my original post. Let me try to clerify a couple things.

 

I am mainly experiencing random pop-ups. Usually ads for well.. getting rid of unwanted ads. But i am also getting pretty much any other little malware feature you can think of. Redirected sites. Little blue search bar at top of screen that won't go away. Blue search panel at bottom of Browser window that can be closed.

One of the browser redirectors/popups/hijackers seems to be azoogleads.com if that means anything to you.

 

And the more i try to fix, the more these things keep coming back and more with them. I tried to do that housecall thing for a virus. but there was an error and my browser closed.

 

And on my Hijackthis log there are some unknown dll looking files with 10 in front of them. i can't get rid of those.

 

I hope this helps. anything else you need, i'll try to get it. but i have to go to bed for tonight.

 

Please. help.

 

My hijackthis log has changed every time i look at it. if you want me to post the latest, let me know. But the basics are probably still the same.

Share this post


Link to post
Share on other sites

*bump*

 

Ok, anyone please, i need suggestions. Step by step if need be. I have repeatedly tried updating and running ad-aware, spybot, and hijackthis to pick out the nasty looking ones. Trojanhunter won't run any more on my computer since i am outside the free trial. And i feel that i am in the grips of an evil trojan.

 

Every time i clear out some of my hijackthis guys they return in a few moments under a different name. every reboot, or at random times, i get pop ups and redirects and browser hijacks. It might be lop.com, but i can't seem to detect it with any of my checkers. It seems to be a trojan or something worse.. maybe a lot somethings.

 

I killed all my cookies, deleted any unknown program from my control panel add/remove, and have continually checked and rechecked with all the removers. one moment, they find nothing. a few minutes into browsing or internet activity, and i am hit with popups and the checkers find all kinds of malware back on my computer.

 

so PLEASE.. i need help.

 

I am reposting my Hijackthis log. I am not sure if it will help. but its all i can do. if i have to buy programs to clean out my system, i will need suggestions on what programs to get. but i hate the thought of using money when these horrid hijacks hit me for free.

 

Ok, here is the most recent log:

 

Logfile of HijackThis v1.97.7

Scan saved at 9:47:16 PM, on 7/28/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\SmartDisk\FlashPath\sdstat.exe

C:\Palm\HOTSYNC.EXE

C:\WINDOWS\System32\Paa53i.exe

C:\WINDOWS\System32\VcbNV.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\John\My Documents\For Bill\HijackThis.exe

 

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

O4 - HKLM\..\Run: [siSUSBRG] C:\WINDOWS\SiSUSBrg.exe

O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [4LQHPC64W54N#N] C:\WINDOWS\System32\Fah1q5.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Global Startup: FlashPath Monitor.lnk = C:\Program Files\SmartDisk\FlashPath\sdstat.exe

O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8196.0132060185

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

 

I should note that all the .exe files with weird letters "VcbNV.exe" etc. can be stopped (as a process) and fixed (in hijackthis), but always return with different letters in front of the .exe.

Share this post


Link to post
Share on other sites

*bump*

 

Sorry for the bump. But i still need help. My problem may be a Coolweb that isn't taken care of by the shredder anymore. One of the things that keeps appearing in my ad-aware scan no matter how many times i delete it are some coolweb files. I'lll need help to remove it.

Share this post


Link to post
Share on other sites

Your latest log is notably shorter than the first one you posted.

 

If you have removed anything, please post back, and say what entries you removed.

.

It looks as if you removed the O10 items. This should never be done using Hijack this, as irrepairable damage can be done to the LSP chain.

Share this post


Link to post
Share on other sites

Ok.

 

Well. During the time i was waiting for any info on this forum, i was constantly looking through other posts and some other sources for ways to remove what was happening to me.

 

I found spyferret, tried it.. discovered it wasn't so grand. deleted it.

 

I continually searched my drives for cookies and other elements of the hijack i could remove. Such as several things in add/remove programs that should never have been there. and i even had to clear out my favorites several times due to the fact that a lot of casino and general search 'favorites' were added without my adding them. (i am sorry, but there had been so many little things, mainly coolweb files and istbar and other well known baddies that i just cept deleting. at one time i had 200 found in ad-aware. so i can't be specific about which ones i took out. in hijackthis, i only tried to remove ones i knew were bad BHOs, the only exe files i have tried to remove, keep coming back. Very sorry i didn't keep a better record. my mistake)

 

As for the 010 items from hijackthis. I was browsing this forum system and came across information on a program called lspfix. Since i never had any 010 things appear in my hijackthis scan before this particular hijack, i decided to use the lspfix and clear them out. It looked like it worked.

(however, by habbit, i did try to remove the 010s with hijackthis, but was unable to do so. I hope that my unsuccessful attempts did not ruin something.)

 

As far as any other 'shortening' of the hijackthis log. I have been running ad-aware and spybot a number of times. usually to clean up the little hijacks that the big (unremovable) trojan/hijack keeps installing. It is possible that one of my scans did remove some things that didn't get removed the first times i tried.

 

Also, i beleive i adjusted ad-aware to scan deeper. So that could account for some of the difference between the logs too.

 

However, since my last log (july 28) i have not done any major clean ups.

 

Any tiny file variation is probably due to this trojan renaming the file whenever i tried to delete it with hijack this. normally, as i said above, with .exe files.

 

I have also browsed my regedit to see if anything stood out as 'hijack' seeming. i am nervous about the regedit so i did NOT adjust anything in there. But i did see win-tools. which raised an eyebrow.

 

I am very happy you responded. please let me know what you think i should do. Thank you very much.

Edited by StumpedNeedHelp

Share this post


Link to post
Share on other sites

Please post an updated Hijack this log.

Share this post


Link to post
Share on other sites

Ok Here is my newest log.

 

I have a couple new symptoms to report. Several times over the last week i have been unable to use the internet on the infected computer to reach these forums. However, after running ad-aware and manually deleting a number of cookies (found by using 'search' in the start menu) I was able to return here and check the forums.

 

This log appears as it did after my last ad-aware run and spybot run. I had to run those in order to return to this forum.

 

Also, i usually 'fix' all the R1 and R0 elements found in the hijack this as they appear. i left them in this one so you would see them.

 

Logfile of HijackThis v1.98.0

Scan saved at 10:12:21 PM, on 7/31/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe

C:\Program Files\SmartDisk\FlashPath\sdstat.exe

C:\Palm\HOTSYNC.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\VcbNV.exe

C:\WINDOWS\System32\VcbNV.exe

C:\WINDOWS\System32\wuauclt.exe

c:\progra~1\intern~1\iexplore.exe

c:\progra~1\intern~1\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\John\My Documents\hjt\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\John\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\John\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\John\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\John\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\John\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\John\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {121359EE-0645-43B7-8991-4E04BADAD2E5} - C:\WINDOWS\System32\mhofnaa.dll

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

O4 - HKLM\..\Run: [siSUSBRG] C:\WINDOWS\SiSUSBrg.exe

O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [4LQHPC64W54N#N] C:\WINDOWS\System32\Cjz1K.exe

O4 - Global Startup: FlashPath Monitor.lnk = C:\Program Files\SmartDisk\FlashPath\sdstat.exe

O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O18 - Filter: text/html - {61424F51-1BA9-4FE1-B841-7DD195228E30} - C:\WINDOWS\System32\mhofnaa.dll

O18 - Filter: text/plain - {61424F51-1BA9-4FE1-B841-7DD195228E30} - C:\WINDOWS\System32\mhofnaa.dll

 

Again, thank you very much for your attention in this matter.

Share this post


Link to post
Share on other sites

*bump*

 

Its been almost a week since i was able to get on to these forums. Perhaps due to something in my computer. Just couldn't make a connection.

 

Anyways. I still need help. If anything, i would love to hear a recommended virus program to clean out the trojans. Note: Housecall does not work.. always get error reports at their site and iexplorer shuts down.

 

Oh, if it will help, here's yet another log.

 

Logfile of HijackThis v1.98.0

Scan saved at 7:30:51 PM, on 8/8/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe

C:\Program Files\SmartDisk\FlashPath\sdstat.exe

C:\Palm\HOTSYNC.EXE

C:\WINDOWS\System32\nvsvc32.exe

c:\progra~1\intern~1\iexplore.exe

c:\progra~1\intern~1\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\John\My Documents\hjt\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\John\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\John\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.nvkbwloveo.com/pYA1mAzIJjp5C8U7...85tt0o3Zt0.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

O4 - HKLM\..\Run: [siSUSBRG] C:\WINDOWS\SiSUSBrg.exe

O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [MATHGLOBAL] C:\PROGRA~1\EACHHE~1\Second Wait.exe

O4 - Global Startup: FlashPath Monitor.lnk = C:\Program Files\SmartDisk\FlashPath\sdstat.exe

O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0