General SecurityPost any general questions related to security, viruses or spyware here.
Mission Statement
WindowsBBS is an online community dedicated to easily accessible technical support for those using Microsoft operating systems and other Windows software.
Our goal is to become the leading resource for computer users that require assistance with their day-to-day computer usage, including full support for networking PC's, virus & malware removal, system upgrades and general support questions.
Please help I'm helping a friend with computer problems. Here is hijack log.
thanks --shammie
Logfile of HijackThis v1.98.0
Scan saved at 4:39:01 PM, on 9/2/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)
Hi shammie. You need to do some of the usual stuff here
- get the latest HJT version
- put HJT in a folder other than temp
- get, update, run Ad-aware and Spybot
- empty all the temp folders
- disk cleanup
After that it will be reasonable to start working on the various types of malware still on the PC after the above so that would be a good time to post a new HJT log with the new version.
Ok. I have run ad-aware , spybot and cleaned disk. I could not get an update for hijack(downloeded new one). Here is copy of log. thanks
Logfile of HijackThis v1.98.2
Scan saved at 5:58:10 PM, on 9/2/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)
Thanks. Looks better - or maybe worse - but at least better to work with. This PC has really been eaten alive by malware. I looked back at some of your earlier threads and want to say "good on you" for helping so many folks who have spyware problems. Gotta be a relief for them to have clean systems. But moving right along.
Download CWShredder (quicklinks) but don't do anything with it for now. You will need it later.
Open Hijackthis and run a scan. Check all the following for removal and then remove them.
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\gmvsr.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\gmvsr.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\gmvsr.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\gmvsr.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\gmvsr.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\gmvsr.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\gmvsr.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {66BEFA4A-DA6F-C681-9F03-A12F8ECDE056} - C:\WINDOWS\SYSTEM\MFCWS.DLL
O4 - HKLM\..\Run: [IEDP32.EXE] C:\WINDOWS\IEDP32.EXE
O4 - HKLM\..\Run: [S] C:\WINDOWS\TEMP\S.EXE
O4 - HKLM\..\Run: [49CCN@T2XA5GAM] C:\WINDOWS\SYSTEM\Ezg1q5.exe
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [ B ] C:\WINDOWS\TEMP\B.EXE
O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [r83R36X] MMFASF.EXE
O4 - HKLM\..\RunServices: [NTGH.EXE] C:\WINDOWS\SYSTEM\NTGH.EXE
O4 - HKCU\..\Run: [azs5RWbmQ] MNMBVM50.EXE
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O16 - DPF: {7EB15626-CB8E-4174-8A72-C055B12B4310} (CQD2Loader Object) - http://smartdownloader.com/installer.dll
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...022384e480b9c0d
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarestormer.com/files2/Install.cab
O21 - SSODL: systemie - {AE479BDE-0499-4A02-A015-9AADB6EA29B9} - systemie.dll (file missing) (note: several of those 016 entries may be fine but this system is so badly eaten up and 016 items are always safe to remove since they will be rebuilt on the next visit to a site that needs them that I'd like to just make them go away)
Not sure about this application. Doesn't seem to be real effective but some of the security gurus are more up to date so let them suggest.
O4 - HKCU\..\Run: [Spyware Begone] C:\FREESCAN\FREESCAN.EXE -FastScan
Turn off system restore.
Go to add/remove programs and if the following are there uninstall them if possible:
AUTOUPDATE
WEB OFFER
Boot to safe mode.
The following are either known baddies or else files that don't search up as being associated with any program which normally indicates virus or spyware payload dropped on the PC. Delete all of these.
C:\WINDOWS\SYSTEM\NTGH.EXE
C:\WINDOWS\IEDP32.EXE
C:\WINDOWS\TEMP\S.EXE (exe in a temp folder - always a bad sign)
C:\WINDOWS\SYSTEM\SYSTEMIE.EXE (part of TROJ_SISIE.A)
C:\WINDOWS\TEMP\B.EXE
C:\PROGRAM FILES\AUTOUPDATE\AUTOUPDATE.EXE (Adware.Envolo and used to update other adware)
- remove the entire folder
C:\WINDOWS\SYSTEM\MMFASF.EXE
C:\WINDOWS\SYSTEM\MNMBVM50.EXE
C:\PROGRAM FILES\WEB OFFER\WO.EXE (Web Offer is adware)
- remove the entire folder
C:\WINDOWS\SYSTEM\VYK0.EXE
C:\WINDOWS\SYSTEM\QEM6HC08.EXE
Close all other folders & programs then run CWShredder.
Boot back to normal mode and run Hijackthis again and post the log. There was so much junk I may easily have missed some or there may be a well hidden critter that continues to cause problems.
I'd also suggest while you are working with this PC that you download Spywareblaster, update it, and let it immunize all it can. Over 3000 bad things it's blocking now. With that and the immunize feature on Spybot, the PC will have quite a bit of extra protection and hopefully won't get so badly infested.
That PC has a peper infection. Download the following fix, saving it to your desktop, then double click to open. Then click 'Find and Fix' and reboot if prompted.
Reboot again when finished. You will most likely have this entry to fix with HJT afterwards. O4 - HKLM\..\Run: [49CCN@T2XA5GAM] C:\WINDOWS\SYSTEM\Ezg1q5.exe
It also has a nasty CoolWebSearch infection. CWShredder may get rid of it if run in safe mode, but most likely will need AboutBuster. After running the peperfix and fixing the items Newt has pointed out, these entries may return in a HJT scan.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\gmvsr.dll/sp.html#96676
O2 - BHO: Class - {66BEFA4A-DA6F-C681-9F03-A12F8ECDE056} - C:\WINDOWS\SYSTEM\MFCWS.DLL
and maybe one of those oddball run entries
If so, Run HijackThis again and place a check beside each of the following items. Once done click the fix checked button.
O2 - BHO: Class - {66BEFA4A-DA6F-C681-9F03-A12F8ECDE056} - C:\WINDOWS\SYSTEM\MFCWS.DLL
the oddball run entry
Download AboutBuster from one of the following locations.
First unzip all files from the zip folder to a folder or your desktop. Double click AboutBuster.exe and click ok, then update. A new screen should popup. On that screen click Check for Updates. If it says it found an update click Download Updates. If it doesn't, it will automatically tell you and exit.
Close ALL Internet Explorer windows. This is a very important step!!
Click start and then Ok. The program should start scanning. Wait for it to finish (may take a while), then hit exit and reboot.
Once rebooted run About:Buster once more to make sure everything is ok.
Reboot and run another HijackThis scan and post the log.
I have run aboutbuster took ~6hrs, cwshreder, and fix hijack entries. On boot up this message comes up "spool32 has caused an error in mmsystem.dll. spool32 will now close" any help? also the colors and size of web pages is not right. Here is new hijack log: Thanks
Logfile of HijackThis v1.98.2
Scan saved at 5:38:43 PM, on 9/3/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)
Search for and delete this file if found. savei-syncm-whseinst.exe
Open C:\Program Files and delete the folders TV MEDIA, Delfin and VVSN if present.
Open C:\Program Files\Common Files and delete the folder DPI.
Open C:\WINDOWS\system and delete the files SearchBar.htm, IEHost.exe and NTGH.EXE if present.
Open C:\Temp if present, select all and delete.
Open C:\Windows\Temp, select all and delete.
Open My Computer, right click Local disk C: and choose properties, then disk cleanup. Reboot.
Back in Windows, you can re-enable system restore. Then visit Windows Update. Accept all critical updates.
Reboot and go back to Windows Update until there are no more criticals offered.
Scan the PC with RAV. Check the box to autoclean. If any files are infected and uncleanable, click the report button then copy and paste it here, along with a new HijackThis log.
I fix hijack files, can't find tv media, savei-syncm-whseinst.exe,SearchBar.htm, IEHost.exe and NTGH.EXE. Dleted DPI file, and rav here is a copy of report[I]: also windows update will not install current windows version is 5.50.4134
Statistics
Scanned files: 18020
Scanned directories: 1220
Scanned archives: 2260
Size of the scanned files: 3032783504
Packed files: 602
Known viruses found: 38
Virus bodies: 22
Suspicious files: 1
Logfile of HijackThis v1.98.2
Scan saved at 9:00:46 PM, on 9/3/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)
c:\Symantec<<<< I have a gut feeling this entire folder is junk. Norton keeps it's vaulted files elsewhere. See what all is in it before deleting.
c:\My Documents\hijackthis\backups
backup-20040903-101435-591.dll
C:\Windows\Temp.....select all and delete.
Look again for IEHost.exe in C:\Windows\System and TV Media folder in Program Files.
Empty the recycle bin. Reboot and run the scans again.
The update installation is set to run at startup. Hopefully it will complete and ask you to reboot. If it doesn't complete the installation, you may have to try again after this PC is all cleaned up.
thanks for all you help. I think that everything is finally deleted rav shows no virus, ad-aware clean, spybot clean. I still can not install windows update, and internet explorer colors are bad its hard to read looks like colors when in safe mode. Here is new hijack log:
Logfile of HijackThis v1.98.2
Scan saved at 12:05:23 PM, on 9/4/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)
I can see an attempt was made to update IE. What you may need to do to access windows update is add the site to the Trusted Zone of IE. Go to Internet Options, click on Security tab, then click on Trusted, then click on the Sites button. Uncheck the box about HTTPS, and Add *.windowsupdate.com, as it appears here. Let the Security Level of Trusted be at the default Low setting.
The lnk extension an this entry, O4 - Startup: Resume Windows Update Installation.lnk = C:\WINDOWS\Windows Update Setup Files\ie6setup.exe, makes it appear there is now a shortcut for resuming the update installation. Is there? If so, double click to start.
