Hijack This Help

Discussion in 'OT Technology' started by KoopaTroopa, Apr 3, 2008.

  1. KoopaTroopa

    KoopaTroopa OT Supporter

    Joined:
    Jun 3, 2004
    Messages:
    4,661
    Likes Received:
    0
    Location:
    Fall River, Mass
    I think I have a rundll32.exe virus & can't get rid of it.

    Here's the Hijack This log & I need help since I never used it before.
    AVG keeps popping up saying Virus & can't get rid of it. I tried booting in safe mode & couldn't.


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:53:09 PM, on 4/2/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16608)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    C:\WINDOWS\SYSTEM32\Ati2evxx.exe
    C:\Program Files\UltraMon\UltraMon.exe
    C:\WINDOWS\system32\umonit.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\UltraMon\UltraMonTaskbar.exe
    C:\Program Files\Trillian\trillian.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tokyotosho.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcastonline.com:8100
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = actsvr.comcastonline.com
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto
    O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\system32\umonit.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [BM475ea8a3] Rundll32.exe "C:\WINDOWS\system32\uuelvdbg.dll",s
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O8 - Extra context menu item: &AIM Search - blank
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Do&wnload by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_Link.htm
    O8 - Extra context menu item: Download A&ll by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_All.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.viewpoint.com/MT...://instantgreetings.aol.com/prod/install.html
    O16 - DPF: {9C024426-7859-4B2D-AB4C-B1E370AE7549} - http://us.mcafee.com/Apps/WSC/en-us/WscWlanScannerCtrl.cab
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
    O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
    O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe (file missing)
    O23 - Service: RoxUpnpServer - Unknown owner - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe (file missing)
    O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe (file missing)
    O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
     
    Last edited: Apr 3, 2008
  2. Doomsday

    Doomsday XXX

    Joined:
    Mar 14, 2000
    Messages:
    14,902
    Likes Received:
    0
    Location:
    Minnesota
    in hijackthis, check that one on bold, and hit "fix checked" button, reboot.
     
  3. KoopaTroopa

    KoopaTroopa OT Supporter

    Joined:
    Jun 3, 2004
    Messages:
    4,661
    Likes Received:
    0
    Location:
    Fall River, Mass

    I bolded that one because that was the only one I didn't recognize in my msconfig startup list.

    Thanks. Not really that hard to understand now that I look at it.
     
  4. Doomsday

    Doomsday XXX

    Joined:
    Mar 14, 2000
    Messages:
    14,902
    Likes Received:
    0
    Location:
    Minnesota
    i know
    paste that log to this site: http://www.hijackthis.de
    should tell you what's wrong
     
  5. DaIceMan

    DaIceMan Jack Bauer > *.*

    Joined:
    Aug 30, 2004
    Messages:
    3,475
    Likes Received:
    0
    Location:
    Springfield-ish, Missouri
    that's one big lot of ugly.
     
  6. KoopaTroopa

    KoopaTroopa OT Supporter

    Joined:
    Jun 3, 2004
    Messages:
    4,661
    Likes Received:
    0
    Location:
    Fall River, Mass
    One problem now. The PC won't boot up. It won't boot up, it'll just keep restarting now.
    Going to repair my XP Pro with XP Home. I lost the Pro disk. Will this be fine?


    Edit:
    It didn't work. PC just keeps restarting after getting to the screen asking to boot in Safe Mode or Last Good Config. I think I fucked it up.
     
    Last edited: Apr 3, 2008
  7. Doc Brown

    Doc Brown Don't make me make you my hobby

    Joined:
    Mar 31, 2006
    Messages:
    16,404
    Likes Received:
    0
    Location:
    Ohio
    I think that was a legit dll file. It looks like some sort of debugger.

    If you have your windows disc, go to start > run > and type in the following with exact spaces

    sfc /scannow

    Then pop in your windows cd, and let it do a file repair.

    That should fix the dll file you deleted.
     
  8. Doc Brown

    Doc Brown Don't make me make you my hobby

    Joined:
    Mar 31, 2006
    Messages:
    16,404
    Likes Received:
    0
    Location:
    Ohio

    Can you get it to open in safe mode?
     
  9. KoopaTroopa

    KoopaTroopa OT Supporter

    Joined:
    Jun 3, 2004
    Messages:
    4,661
    Likes Received:
    0
    Location:
    Fall River, Mass
    I just got it into safe mode thanks to using a repair disk & the following DOS commands.

    Md bak

    Copy c:\windows\system32\config\system c:\windows\bak\system.bak

    Copy c:\windows\system32\config\software c:\windows\bak\software.bak

    Copy c:\windows\system32\config\sam c:\windows\bak\sam.bak

    Copy c:\windows\system32\config\security c:\windows\bak\security.bak

    Copy c:\windows\system32\config\default c:\windows\bak\default.bak


    Delete c:\windows\system32\config\system

    Delete c:\windows\system32\config\software

    Delete c:\windows\system32\config\sam

    Delete c:\windows\system32\config\security

    Delete c:\windows\system32\config\default


    Copy c:\windows\repair\system c:\windows\system32\config\system

    Copy c:\windows\repair\software c:\windows\system32\config\software

    Copy c:\windows\repair\sam c:\windows\system32\config\sam

    Copy c:\windows\repair\security c:\windows\system32\config\security

    Copy c:\windows\repair\default c:\windows\system32\config\default




    Now I need help in removing this virus or whatever. Should I do a system restore when I'm done in safe mode? Do I have to fix my boot section since I fucked with it or will the system restore fix that?
     
    Last edited: Apr 3, 2008
  10. Doc Brown

    Doc Brown Don't make me make you my hobby

    Joined:
    Mar 31, 2006
    Messages:
    16,404
    Likes Received:
    0
    Location:
    Ohio
    How about trying another antivirus?

    Kaskpersky is free.
     
  11. KoopaTroopa

    KoopaTroopa OT Supporter

    Joined:
    Jun 3, 2004
    Messages:
    4,661
    Likes Received:
    0
    Location:
    Fall River, Mass
    Thanks for helping Doc, but right now I'm stuck in Safe Mode. Should I do a system restore? The site I went to says I have to fix my changes I did earlier? However, that guy's not in safe mode like me.


    Here's what I've been following since it actually worked, besides my starting in Safe Mode.
    http://everything2.com/index.pl?node_id=1438550
     
  12. Doc Brown

    Doc Brown Don't make me make you my hobby

    Joined:
    Mar 31, 2006
    Messages:
    16,404
    Likes Received:
    0
    Location:
    Ohio
    Oh, sorry about that. I misread that to say you had gotten running again.

    You could try safe mode with networking, and then try to download kaspersky.

    Avg is pretty good though. If that's really a virus, something tells me it's going to be tricky.

    And the system restore can be a catch 22. Sometimes it can make it to where malware can't be deleted without turning it off first.

    But you probably want to try a restore point first, before you shut off system restore.
     
  13. KoopaTroopa

    KoopaTroopa OT Supporter

    Joined:
    Jun 3, 2004
    Messages:
    4,661
    Likes Received:
    0
    Location:
    Fall River, Mass
    Solves my System Restore problem...it won't work. Just hangs. I got Spybot running now, but AVG won't run in Safe Mode.

     
  14. Doc Brown

    Doc Brown Don't make me make you my hobby

    Joined:
    Mar 31, 2006
    Messages:
    16,404
    Likes Received:
    0
    Location:
    Ohio
    Ouch.

    Do you have a lot of data you need to save?
     
  15. KoopaTroopa

    KoopaTroopa OT Supporter

    Joined:
    Jun 3, 2004
    Messages:
    4,661
    Likes Received:
    0
    Location:
    Fall River, Mass
    I'm trying not to reformat. I lost my Windows XP Pro disk due to a flood. I have a lot of videos, pics, & music on here. I could move it to my external hard drive, but I like my PC as is now.
     
  16. Doc Brown

    Doc Brown Don't make me make you my hobby

    Joined:
    Mar 31, 2006
    Messages:
    16,404
    Likes Received:
    0
    Location:
    Ohio
    Damn. So you can't even try a windows repair then..

    Well there is a somewhat convoluted thing you can do if you have good access to another pc, which I assume you do, and are on right now.

    Download the xp iso from somewhere. Use MagicISO to make it bootable.

    There are keyfinders you could burn to a cd, and load up on your machine in safe mode, to pull your serial out of your machine. (I've got one I could upload to you)

    Then use the new disc, along with your serial number to do a windows repair.

    A lot of work, but your options are limited if you don't want to do a reformat.
     
  17. KoopaTroopa

    KoopaTroopa OT Supporter

    Joined:
    Jun 3, 2004
    Messages:
    4,661
    Likes Received:
    0
    Location:
    Fall River, Mass
    I was able to get to the repair using a XP Home disk I think. I tried to repair it. Wait, it was the recovery console I tried.

    Should I continue with that site & fix the changes I did earlier since I can't get System Restore?

    Edit:
    I'm going to have to continue with that site.

     
  18. Doc Brown

    Doc Brown Don't make me make you my hobby

    Joined:
    Mar 31, 2006
    Messages:
    16,404
    Likes Received:
    0
    Location:
    Ohio
    Well you want to try a repair, not recovery console. But by site, you mean the hijackthis site?

    That's not really geared to virus removal. You need to get the build back up and running, and a windows repair would be a good start.

    If you can get it up and running, you could save the important stuff to the external drive, just in case. Then turn off system restore and try to run scans again.

    And run them in safe mode if you can.
    (that should have been tried first, actually)
     
  19. KoopaTroopa

    KoopaTroopa OT Supporter

    Joined:
    Jun 3, 2004
    Messages:
    4,661
    Likes Received:
    0
    Location:
    Fall River, Mass
    I couldn't get safe mode to boot when I tried first. I got the PC to reboot normally, but my profile is gone. I'm using the bare Admin's one. All my files are still on the drive, but I have to find my old profile before all this mess. System restore does not work.

    I might have to go buy a XP Pro disk tomorrow.



    I was using this site to get my PC just to boot & followed his instructions.
    http://everything2.com/index.pl?node_id=1438550
     
  20. Doc Brown

    Doc Brown Don't make me make you my hobby

    Joined:
    Mar 31, 2006
    Messages:
    16,404
    Likes Received:
    0
    Location:
    Ohio
    If you can just borrow or download a disc, like I said you can pull your serial number off of your install and reuse it. No reason to pay for another copy.
     
  21. KoopaTroopa

    KoopaTroopa OT Supporter

    Joined:
    Jun 3, 2004
    Messages:
    4,661
    Likes Received:
    0
    Location:
    Fall River, Mass
    I might try to find a XP Pro disk, but for now I'm trying to find my old profile to load, but I can't. I noticed on the msconfig, under boot.ini, says Partition(2) now instead of (1)
     
  22. Doc Brown

    Doc Brown Don't make me make you my hobby

    Joined:
    Mar 31, 2006
    Messages:
    16,404
    Likes Received:
    0
    Location:
    Ohio
    You had a ton of settings that you're trying to save?

    Another option that might help, in that it would give you plenty of time to work around this, is to just get another hard drive for the os.
    The Western Digital 160gb WD1600AAJS drives are very fast drives and only $55 shipped.
    http://www.newegg.com/Product/Product.aspx?Item=N82E16822136075&Tpk=wd1600aajs

    Find a copy of XP, i'll pm you a link for the key finder so you can use your old serial number.

    Then when you get reinstalled and running, you can poke around on the old drive until you find the right files.

    Check your pm's.
     
  23. KoopaTroopa

    KoopaTroopa OT Supporter

    Joined:
    Jun 3, 2004
    Messages:
    4,661
    Likes Received:
    0
    Location:
    Fall River, Mass
    I the problem is I'm out of space on this PC for drive space. I already have another internal drive in there & my external.
    I had my StyleXP settings, my ultramon settings, and whatever set. And now I have to reconnect to the net on my PC now.
    I might just buy a new PC tomorrow & start over with Vista.
     

Share This Page