General SecurityPost any general questions related to security, viruses or spyware here.
Mission Statement
WindowsBBS is an online community dedicated to easily accessible technical support for those using Microsoft operating systems and other Windows software.
Our goal is to become the leading resource for computer users that require assistance with their day-to-day computer usage, including full support for networking PC's, virus & malware removal, system upgrades and general support questions.
I used to keep a ghost of my c: drive so whenever something like this happened, I would just reload the ghost. But that was on 98se. I updated to xp so that I could play Doom3... apparently xp doesn't like my version of ghost. Ghost 5 i believe... kinda old.
I have run Spybot Search & destroy, no anti-virus softerware or anything else...
was reading up on some of this... but gonna be awhile before i understand all the terminolgy for hijackthis.
here's the hijackthis log.
Logfile of HijackThis v1.97.7
Scan saved at 3:39:58 PM, on 8/31/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
The Hijackthis version is not the latest so you need to download v1.98.2 and just overwrite the one you have so your next log will be generated with the latest version. Spybot should be v1.3 and you have to download the whole thing as updating the ref files won't do it. If you now have an earlier version, run it and uncheck any protections then uninstall it and install the new one then update. Ad-Aware is also a good spyware removal app (see Quicklinks in my signature) and you want their new SE version.
I take it from your comment about "no anti-virus software" and the fact that I don't see any signs that you have an AV program on your PC that you really aren't running any. If not you really need to get one to help protect the PC. You can find both online and free local AV programs in Quicklinks.
Neither of these .exe files shows up on a search which is often a sign they were dropped on you by a virus so an online virus scan is certainly in order.
C:\Documents and Settings\Himura Glennshin\Application Data\retw.exe
C:\WINDOWS\System32\uavfr.exe
However, none of those would have prevented or removed the particular hijack you have.
Open Hijackthis and check the following items then let HJT remove them:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\HIMURA~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\HIMURA~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\HIMURA~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\HIMURA~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\HIMURA~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\HIMURA~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {12A76F0F-CE6B-7DC4-D507-6D5508AD7045} - C:\WINDOWS\System32\fjvfsvj.dll
O2 - BHO: (no name) - {47F3C2E8-215B-492F-B8FD-C644D5568CAB} - C:\WINDOWS\System32\naib.dll
O4 - HKCU\..\Run: [Omtp] C:\Documents and Settings\Himura Glennshin\Application Data\retw.exe
O4 - HKCU\..\Run: [Qbaqfc] C:\WINDOWS\System32\uavfr.exe
Download CWShredder.exe from here and save it to your desktop.
Boot to safe mode.
Turn off system restore.
Close ALL other windows, open CWShredder and click fix.
Open C:\Temp if present, select all and delete.
Open C:\Windows\Temp, select all and delete.
Open C:\Documents and settings\username\Local Settings\temp, select all and delete. Do this for all usernames.
Open My Computer, right click Local disk C: and choose properties, then disk cleanup. Check all boxes except compress old files and OK.
Boot back to normal mode.
Run an online virus scan and remove any baddies it finds. If there are any found that can't be cleaned/deleted copy down details and post them here.
Download the latest version of Hijackthis and overwrite the one you have now. Then run it and post the new log back here.
Reboot and then delete these files.
C:\WINDOWS\System32\fjvfsvj.dll
C:\WINDOWS\System32\naib.dll
C:\WINDOWS\System32\uavfr.exe
c:\x.cab
I am not sure of the following, do you know what it is?
C:\Documents and Settings\Himura Glennshin\Application Data\retw.exe
Hi Mark. Looks like we were working on replies at the same time. Wish I'd known you were on it - I'd have read a book.
Question - MediaTicketsInstaller seems to be a legit item from what I managed to read about it. Did I miss the bad stuff or is c:\x.cab a baddie? I know that removing the 016 entries is no biggie since they rebuild when you hit a site that needs them but just trying to further my education.
Sorry about the sidebar glennshin but he's been doing this security thing lots longer than I have and I'll pick his brain any chance I get.
Newt: no worries, thats the only way to make others knowledge your own eh?
Mark: I have no idea what retw.exe is. As I only install to e:/Games,e:/programs & c:/program files, I would never install any program in such a random location. So i went ahead and just deleted that as well.
ran hjt, cwshredder, deleted temps and it seems all well and good.
here is the new hjt log
Logfile of HijackThis v1.98.2
Scan saved at 12:03:53 AM, on 9/1/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
oh, on a side note... the only curious thing i've noticed on winxp pro is that my desktop icons won't stay to the custom ones. I've done some searches but haven't found anything to really help. I have unsuccessfully tried deleting iconcache...
Last edited by glennshin; 1st September 2004 at 09:15.
I will not get into the clean up part but I do see some items that I am very glad to see mentioned.
One is to Shut down System Restore. Some times I myself do not shut it down until I get tihings cleaned up, ( just in case ) but I do shut it down for sure after the clean up and make a new one.
I also saw the word GHOST mentioned. That also should be shut down and a new ghost copy made.
I also saw the TEMP files mentioned. ( I believe I did anyway ). There are times ( unknown to us ) that some trash programs USE THE TEMP FOLDER to work from. I just looked on my Wifes machine and I HAVE NO IDEA where two .EXE files came from. I think STRONGLY that I need to watch some kids and find out were they are going ( or have been ) on the Internet. ( may be related to the next paragraph ) I suspect that one of them has learned how to bypass the Firewall.
In Windows 98 & 98SE the RB00x.cab files in the C:\Windows\Sysbackup folder should be deleted. I just did that on my Wifes machine because Ad-Aware & Spybot found some not so nice stuff hanging around in the reg. ( related to the TEMP folder files )
Running an Anti-Virus program FULL TIME is another good idea.
Also I see WINDOWS UPDATES mentioned. That is another important part of helping to keep things clean. Especially the critical ones. There are many holes plugs there.
So. Is the the cleanout of the actuall problem enough ? I do not think so. I think other things need to be done so that it does not ( even un-intentionally ) get put back.
Newt, I was being a bit on the cautious side about c:\x.cab, and MediaTicketsInstaller. If the line was as the below 016, I wouldn't have suggested the removal. MediaTicketsInstaller as itself is not considered bad from what I have found, and the URL is not included in the IEspyads.Reg file.
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
Glennshin, your log looks clean but you do need to go to windows update and get all the criticals offered.
