Hijack This Log - Please Help!

SweetPea0264,

Install and run this program called: CWShredder.  You can get it here

One of your startups should be fixed using HJT, but first you must install it on your hard drive.  You are running it from a temp file.  By installing in on the hard drive it will make backups to anything you FIX.

Using HJT, scan and place an X next to this line:

O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll

Reboot, and run a scan again and post it to this thread.

Thanks for replying John. As I stated before, I am a total novice here. I downloaded the CWShredder. Before I run it, could you please tell me how I should do this? I don't want to screw anything else up over here. There is a box checked saying 'Move Trojan files to recycle bin or delete' ....should I keep this checked? Also, after it's run, do I go ahead and 'fix' what ever comes up?

Also ~please bare with me here, I just want to make sure I do this right~ since I have HJT in a temp file, how should I go about putting it on my hard drive? I'm taking this one step at a time here, and certainly don't want to do any further damage to my system.

Thank you again! ~Lisa

These are my instructions for the folder for hijackthis and CWShredder
====================
Important: Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT.
Unzip HijackThis into this folder. When you run HijackThis from this folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary. Please delete the old copy (including the zip copy) so it can't be used.
====================
Download then unzip and run CWShredder to clean up clicking FIX to have it remove all it finds.

cwshredder from here
or from here
or download page from here

Please run in safe mode (F8 at boot time)
How to start the computer in Safe mode

please post a new hijackthis log after a reboot.

Hi John,

Followed your instructions. I believe I did everything correctly. Still having the same problems basically, however my new hijacked homepage reads C:\WINDOWS\SYSTEM32\hp.uti  - in the address line of IE, and at the bottom right it says My Computer. Below is the log of the scan I ran after.

Logfile of HijackThis v1.97.7

Scan saved at 11:43:17 AM, on 5/27/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Documents and Settings\Northstar3\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=632

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dellnet.com/

O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - C:\WINDOWS\System32\42nox73p8n.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe

O4 - HKLM\..\Run: [jopa] C:\WINDOWS\System32\sysstartup.exe

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [h323msp] C:\WINDOWS\system32\h323msp.exe

O4 - HKCU\..\Run: [jopa] C:\WINDOWS\System32\sysstartup.exe

O4 - Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe

O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe

O4 - Global Startup: winlogin.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O9 - Extra button: Real.com (HKLM)

O15 - Trusted Zone: *.greg-search.com

O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/games/clients/y/at0_x.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/download/0/5/c/05c905f4-dd30-427d-a3de-373c3e5552fc/msSecAdv.cab?1085504918609

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

O16 - DPF: {B2BA7DDB-D205-48FF-9757-3CD70A9651C9} (ACIWizard.CByteInterface) - https://ols.adin.net/Controls/ACIWizard.CAB

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://firstmagnus.webex.com/client/latest/webex/ieatgpc.cab

Thank you, yet again!  ~Lisa

Chris, Two comments.  Should the box be cleared for moving the infected files to the recycle bin?  And, your first link to CW Shredder is broken.

SweetPea

That log was produced while in safe mode - could you do another wile in normal mode please.

John

Merijn had to add the box because the files were being deleted completely and some malware fighters did not like the idea of ANY program - even one like CWShredder deleting files completely without a way to restore them. He therefore put in that box to give a method of saving the deleted files to the recycle bin.
I would empty that recycle bin after the full clean - so think it is a waste of time saving the files. CWShedder has never (to my knowledge) been accussed of deleteing files that are required - so I think it is a pointless thing to do. Leave it unticked, unless you are feeling very safety consious.

Lisa,  You must follow ChrisRLG's instructions above.  You have to install on your hard drive HiJack This, you are still running it from temp files.  If we fix anything there would be no way to reverse the action.  Follow his links to HJT and click SAVE (not run from present location).  Do the same with CWShredder and run by clicking FIX.

After you have done this Run HJT, scan, and place an X on the following line.

O4 - Global Startup: winlogin.exe

the next two lines are not part of the problem but should be taken out until your problem is fixed.

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

Click the FIX button to remove the lines

 

PCHealth is from another operating system,  is this an upgrade XP?

IE Restrictions is a security applications that may not allow you to make changes or access certain applications.  You can always re-install it again after computer is running well.

Watch out for web games (ie. Yahoo) you get more than just games!

Message Edited by JohnK324 on 05-27-2004 12:34 PM

This one I would ask ChrisRLG.  I picked this up after looking very close but I am not sure.  Notice the mispelled word in this line,

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=632

I am wondering if she has a folder named that? 

Message Edited by JohnK324 on 05-27-2004 12:42 PM

Hi John,

I apologize for wasting time and space, for some reason winzip was not on my system, not sure what happened there, but that's why I was running HJT in temp file (duh). All set with that now. I followed your instructions, log below...here are the issues I had:

Could not delete 04-Global Startup: winlogin.exe...got error message 'This file may be in use. Use Task Manager to shutdown program'  - no clue on that.

There was no file listed on last scan for that PCHealth thing - also, this is not an XP upgrade, not sure how/where/what that is or came from.

Thanks for your patience  ~Lisa

Logfile of HijackThis v1.97.7
Scan saved at 1:22:32 PM, on 5/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\stickies\stickies.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\PROGRA~1\WINZIP\wzqkpick.exe
C:\WINDOWS\system32\h323msp.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dellnet.com/
O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - C:\WINDOWS\System32\42nox73p8n.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [jopa] C:\WINDOWS\System32\sysstartup.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [h323msp] C:\WINDOWS\system32\h323msp.exe
O4 - HKCU\..\Run: [jopa] C:\WINDOWS\System32\sysstartup.exe
O4 - Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe
O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: winlogin.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O15 - Trusted Zone: *.greg-search.com
O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/games/clients/y/at0_x.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/download/0/5/c/05c905f4-dd30-427d-a3de-373c3e5552fc/msSecAdv.cab?1085504918609
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {B2BA7DDB-D205-48FF-9757-3CD70A9651C9} (ACIWizard.CByteInterface) - https://ols.adin.net/Controls/ACIWizard.CAB
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://firstmagnus.webex.com/client/latest/webex/ieatgpc.cab

 

John,

It did the same thing in safe mode, got that same message. I did a scan anyway, in case something changed.

Logfile of HijackThis v1.97.7
Scan saved at 3:17:45 PM, on 5/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\h323msp.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\stickies\stickies.exe
C:\unzipped\hijackthis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=632
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dellnet.com/
O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - C:\WINDOWS\System32\42nox73p8n.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [jopa] C:\WINDOWS\System32\sysstartup.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [h323msp] C:\WINDOWS\system32\h323msp.exe
O4 - HKCU\..\Run: [jopa] C:\WINDOWS\System32\sysstartup.exe
O4 - Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe
O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: winlogin.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O15 - Trusted Zone: *.greg-search.com
O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/games/clients/y/at0_x.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/download/0/5/c/05c905f4-dd30-427d-a3de-373c3e5552fc/msSecAdv.cab?1085504918609
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {B2BA7DDB-D205-48FF-9757-3CD70A9651C9} (ACIWizard.CByteInterface) - https://ols.adin.net/Controls/ACIWizard.CAB
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://firstmagnus.webex.com/client/latest/webex/ieatgpc.cab

HEY!!!  I guess some things DID change, look - that PCHealth thing is back! Now what? And you mentioned something to Chris about that item with the misspelling...well, that sort of looks familiar to a IE heading (at the top, in the blue window heading) that flashed before when I was getting the here4search.com page. Now I am still getting that other page with the C:\WINDOWS\SYSTEM32\hp.uti thing.

Thanks again!

Lisa, Windows may have locked it in.once it runs. You will have to run the computer in safe mode.  Reboot computer and hit F8 as soon as the computer starts (before you see Windows XP) (for more into on safe mode click here) 

The computer screen will look very different.  Run HJT again.  Scan and place an X next to this line

O4 - Global Startup: winlogin.exe

Click FIX

Reboot computer (don't press F8) in normal mode

There are other ways to stop it from running but I would like to get it off the computer completely.

PS.  I see other items gone that were in question and the scan looks better and better.  This may be the last item. Please post HJTscan when back in normal mode. 

Lisa,

Follow these steps very carefully.  Go to Start -> Run ->type in REGEDIT press ok

Go to here by click the + sign next to each folder, for example next to Hkey_Local_Machine, then next to Software, then next to Microsoft, then next to Windows, then next to Current Version, then click on the folder Run.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Look the one line that contains: NvCplDaemon......Winlogin.exe

Right click this line, and select delete.

Close everything down (red X)and reboot machine.  

Please post again as before,  sorry this is taking so long

John,

To answer your first question, I change my homepage in internet options and when I open a new window, sometimes on the first try, it's fine. But when I close that and open another window - right back to that same page.

I went to Spybot and followed your instructions, wouldn't believe this but it's not in there either!  I did go to IE Tweaks and checked the Lock Host line. Here is an interesting observation though, not sure what it means: It just dawned on me that the icon for Spybot (on my task bar) is identical to the icon that appears in the address line in IE infront of the C:\WINDOWS\SYSTEM32\hp.uti  address. Like I said, I'm a novice and all, and it could mean absolutely nothing, but that strikes me as alittle strange. Could Spybot be the root of my problems?

~Lisa

Lisa,

Can you change your homepage?  A lot has been taken out.

Can you try this one last thing?  It is painless.  Since you have Spybot 1.3, go to Tools, System Startup, and uncheck the Winlogin that is starting up.  Also, while your their at Tools, select IE tweak and place a check mark next to Lock Host files as read only...

Check your scan and see if it's gone.  One thing about spyware is that some actually bring in others.

Hi John,

Not sure if I should be getting concerned at this point, but I followed your instructions perfectly. When I got to the 'RUN' section, there was no line there with the information you wanted me to delete! I'll take a deep breath for now, LOL.  And no need for apologies for how long it's taking, I could care less about the time, as long as I can eventually regain control of my system  :)   ~L

No spybot I would not expect to be a problem - could we have a fresh hijackthis log - and please repeat the description of the problem.