hijack this results

Question

my computer is really crashy and is running in a very weird 4 color display. i can't even choose any monitors but 'plug and play' and the resolution is at the lowest with no option to change. when i switch users, i crash and get a serious error message.   please help restore my computer to the great machine it was before the virus! thanks

jeffjazz · Answer

Logfile of HijackThis v1.99.1
Scan saved at 9:10:51 PM, on 5/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jeff\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.brooksound.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.brooksound.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Spyware\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095202365062
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145814917892
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll

RKinner · Answer

Don't see anything in the log. Can you go back and turn on everything in msconfig and make a new log and post it as a reply?

Start, Run, sigverif, OK. When the new program comes up press Start and wait for it to finish. Do you see wininet.dll? Sort the list by date by clicking on the Modified column header. Look for new files (since the problem started.) What do you find?

Also since you say it's crashing, look in the event logs: Start, Run, eventvwr.msc, OK. Select System then look for red marked events at the time of your last crash and doubleclick on them to open them then click on the bottom of the three buttons to copy the text then move to a reply and Edit Paste. Repeat for any different event. If you have multiple copies of the same event just tell me you have 2, 10, or many copies of the same event.

Ron

RKinner · Answer

If you've got wininet.dll in your sigverif list run the smitfraudfix as per

http://forums.us.dell.com/supportforums/board/message?board.id=si_hijack&message.id=34432

Then run sigverif again and see if it's gone.

Ron

jeffjazz · Answer

thanks ron, i don't really know what is going on here. i do see the wininet.dll, but cannot sort by modification. my computer is running in some very primitive mode like it got knocked back to it's most basic settings, appearance and color scheme. as it is i can barely see the screen i'm typing on because the background color to this text box is not solid white. it therefore comes up polka-dotted because i am on 4color display and the other options (16 color, millions of colors) that were there before are not even available on the drop down menu.

itunes will not open

when creating a message in outlook, the page turns black and it is impossible to type.

when switching from user to user there is a crash 100% of the time. a system error comes up "recovered from a serious error"

when i run the eventvwr.msc, there are no red flagged events. all flags are blue i marks named information. most of the time the source is "service control manager" but around the last crash, here are the others:

eventlog - Microsoft (R) Windows (R) 5.01. 2600 Service Pack 2 Uniprocessor Free.

eventlog - The Event log service was started.

bcm4sbxp - Broadcom 440x 10/100 Integrated Controller: Network controller configured for 100Mb full-duplex link.

Tcpip - The system detected that network adapter \DEVICE\TCPIP_{E0FA22D6-2DA5-40D0-95D3-89F4C03FEA4E} was connected to the network, and has initiated normal operation over the network adapter.

Savedump - The computer has rebooted from a bugcheck. The bugcheck was: 0x10000050 (0xbf9d8371, 0x00000000, 0xbf9d8371, 0x00000000). A dump was saved in: C:\WINDOWS\Minidump\Mini050406-03.dmp.

Thanks again!

jeffjazz · Answer

thanks ron, i followed the direx to a t, and wininet.dll is still present when i run sigverif after the restart. when i restarted it had recovered from a serious error and this is the description:

C:\DOCUME~1\Jeff\LOCALS~1\Temp\WERc231.dir00\Mini050606-01.dmp

C:\DOCUME~1\Jeff\LOCALS~1\Temp\WERc231.dir00\sysdata.xml

RKinner · Answer

Download a new copy of wininet.dll from:

http://www.dll-files.com/dllindex/dll-files.shtml?wininet

I believe it's a Zipped file so save it to your desktop then rightlclick on it and Extract All then

Extract it to C:\

Shutdown and Restart and Boot into Safe Mode by tapping the F8 key when you see the PC
maker's logo.
Keep tapping until it tells you it is going to Safe Mode or you see the Safe
Mode menu. Select the Safe Mode with Command Prompt option. IT should go to a black CMD screen. Type:

cd \windows\system32\dllcache

(If the pc can't find the folder then skip this next command)

(If the prompt doesn't change to indicate that you are in C:\windows\system32\dllcache then try the above command again)

attrib -r -h wininet.dll

del /f wininet.dll

(It may not find the file to delete. That's OK go on to the next one.)

cd \windows\system32

(Prompt should change to C:\Windows\System32)

attrib -r -h wininet.dll

ren wininet.dll wininet.bad

copy c:\wininet.dll \windows\system32

cd \

dir /s /a wininet.*

The above just checks to see where wininet.dll is hiding. If you highlight the output and hit Enter it will copy the text. Move to a reply and Edit, Paste.

Ron

Virus & Spyware

hijack this results

Was this post helpful?