Hijack This Log File Help

Page 1 of 2 12 LastLast

  1. Nakielobstar
    Posts : 4
    Windows 7 Home
       New #1

    Hijack This Log File Help


    I recently have been having problems with my browser (Firefox 3.6.6) redirecting me when clicking links to ads as well as new tabs opening up with ads in them. Some links I can no longer even open for they open into an ad 100% of the time. These links I also know to be legitimate. A friend told me I should run hijack this and post the log file on one of the many forums. So here it is, any help would be greatly appreciated! :)

    I am a Windows 7 Home user, 32 bit.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:23:13 AM, on 7/21/2010
    Platform: Unknown Windows (WinNT 6.01.3504)
    MSIE: Internet Explorer v8.00 (8.00.7600.16385)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe
    C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\DllHost.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5577
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKCU\..\Run: [hsehf98u34i9tjioaugy987iuegdsg] C:\Users\Nate\AppData\Local\Temp\avp32.exe
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [Uqoyeburimuqujuz] rundll32.exe "C:\Users\Nate\AppData\Local\fved1642.dll",Startup (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Uqoyeburimuqujuz] rundll32.exe "C:\Users\Nate\AppData\Local\fved1642.dll",Startup (User 'Default user')
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
    O13 - Gopher Prefix:
    O16 - DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} (VodClient Control Class) - Vexcast.com - Stream Yourself - All Stream
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~1\Office12\GRA32A~1.DLL
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: LogMeIn Hamachi 2.0 Tunneling Engine (Hamachi2Svc) - LogMeIn Inc. - C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
    O23 - Service: PinnacleUpdate Service (PinnacleUpdateSvc) - Unknown owner - C:\Program Files\KALiNKOsoft\Pinnacle Game Profiler\pinnacle_updater.exe (file missing)
    O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

    --
    End of file - 4978 bytes
      My Computer
    Quote Quote

  3. Petey7
    Posts : 2,963
    Windows 7 Professional SP1 64-bit
       New #2

    "O4 - HKCU\..\Run: [hsehf98u34i9tjioaugy987iuegdsg] C:\Users\Nate\AppData\Local\Temp\avp32.exe"

    It is my undersranding that this is part of the VirTool:Win32/Obfuscator virus. All I can find on it just says that it installs other malware on the computer. Microsofts website says that the symptoms can be almost anything and that the alert level is severe. All I know to try is boot into safe mode and empty out you temp folders. You can open my computer and right click your hard drive, then run disk clean up to empty the temp folders. You may have other problems and this might not solve the one are having now. Give it a try and write back, or you can wait for right now and see if anyone else responds.
      My Computer
    Quote Quote

  4. thathagat
    Posts : 268
    windows 7 ultimate 64 bit,Windows 7 ultimate 32 bit,Windows XP sp3 home
       New #3

    hi.........d/l mbam update it and scan.... follow it with a scan by hitman pro
      My Computer
    Quote Quote

  6. Jacee
    Posts : 8,608
    Windows 7 Ultimate 32bit SP1
       New #4

    You've picked up a Bot ... You will need to change ALL your passwords using a known "clean" computer, not this one.

    This malware drops a copy of itself into the network shares by using NetBEUI to obtain a list of user names and passwords. It uses the following file names:
    • AVP-32.EXE
    It generates IP addresses and attempts to drop a copy of itself into the following default shares:
    • c$
    • d$
    • e$
    • print$
    • admin$
    I don't see any antivirus software ... download Microsoft Security Essentials
    http://www.microsoft.com/security_essentials/

    Rescan with HJT check these items:

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5577

    O4 - HKCU\..\Run: [hsehf98u34i9tjioaugy987iuegdsg] C:\Users\Nate\AppData\Local\Temp\avp32.exe
    O4 - HKUS\S-1-5-18\..\Run: [Uqoyeburimuqujuz] rundll32.exe "C:\Users\Nate\AppData\Local\fved1642.dll",Startup (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Uqoyeburimuqujuz] rundll32.exe "C:\Users\Nate\AppData\Local\fved1642.dll",Startup (User 'Default user')

    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

    O16 - DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} (VodClient Control Class) - Vexcast.com - Stream Yourself - All Stream

    Close all windows except HJT, then click 'fix checked'. Exit HJT.

    Reboot into safe mode
    Restart the computer
    Immediately begin tapping the <F8> key.
    Use the arrow keys to highlight Safe Mode and press the <Enter> key.

    1. Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
    2. In the left panel, double-click the following:
      HKEY_LOCAL_MACHINE>Software>Microsoft>
      Windows>CurrentVersion>Run
    3. In the right panel, locate and delete the entry:
      AVP-SE="avp-32.exe"
    4. In the left panel, double-click the following:
      HKEY_LOCAL_MACHINE>Software>Microsoft>
      Windows>CurrentVersion>RunServices
    5. In the right panel, locate and delete the entry:
      AVP-SE="avp-32.exe"
    6. In the left panel, locate and delete the following registry key:
      HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>AVP-SE
    7. Close Registry Editor.
    Now Copy and paste these lines in Note pad.
    @Echo on
    pushd\windows\system32\drivers\etc
    attrib -h -s -r hosts
    echo 127.0.0.1 localhost>HOSTS
    attrib +r +h +s hosts
    popd
    ipconfig /release
    ipconfig /renew
    ipconfig /flushdns
    netsh winsock reset all
    netsh int ip reset all
    shutdown -r -t 1
    del %0

    Save as flush.bat to your desktop. Right click and run as Administrator, your computer will reboot itself.

    download Malwarebytes' Anti-Malware to your desktop
    |MG| Malwarebytes Anti-Malware 1.46 Download
    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform full scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.

    * When completed, a log will open in Notepad. Please save it to a convenient location. Copy and Paste that log into your next reply.

    Post a fresh HJT log too.
      My Computer
    Quote Quote

  7. Petey7
    Posts : 2,963
    Windows 7 Professional SP1 64-bit
       New #5

    I'm glad to see Jacee knew exactly what to do. When it comes to removing malware, I usually track down post like hers and follow the instructions given. Let us know how everything goes.
      My Computer
    Quote Quote

  8. Nakielobstar
    Posts : 4
    Windows 7 Home
    Thread Starter
       New #6

    To: Petey7, Thathagat, and Jacee

    Here's what I did, and it worked:

    1. I followed Petey7's advice and fixed this issue with hijackthis "O4 - HKCU\..\Run: [hsehf98u34i9tjioaugy987iuegdsg] C:\Users\Nate\AppData\Local\Temp\avp32.exe"

    2. I downloaded and ran both malwarebytes and hijackthis--both found issues to fix.

    3. I used windows clean up followed by ccleaner

    4. I restarted and allowed for the appropriate programs to "do their thing" and fix remnant issues.

    A special thanks to all of you for your help!

    Jacee: I sincerely appreciate your advice; however, as I am quite a novice in computer workings, and because I do not have a printer near by, I tried the automated steps first. <3

    I am now (I think) virus free! Thanks to you all for helping me fix my <3Firefox<3

    **Please let me know if what I did should have worked, or if there is more... Thank you! =)

    EDIT: Here is the log file as requested.
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:09:08 PM, on 7/21/2010
    Platform: Unknown Windows (WinNT 6.01.3504)
    MSIE: Internet Explorer v8.00 (8.00.7600.16385)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\Explorer.EXE
    C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\Windows\system32\SearchFilterHost.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
    O13 - Gopher Prefix:
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~1\Office12\GRA32A~1.DLL
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: LogMeIn Hamachi 2.0 Tunneling Engine (Hamachi2Svc) - LogMeIn Inc. - C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
    O23 - Service: PinnacleUpdate Service (PinnacleUpdateSvc) - Unknown owner - C:\Program Files\KALiNKOsoft\Pinnacle Game Profiler\pinnacle_updater.exe (file missing)
    O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

    --
    End of file - 3585 bytes
      My Computer
    Quote Quote

  10. Petey7
    Posts : 2,963
    Windows 7 Professional SP1 64-bit
       New #7

    All the entries that start with extra look odd to me but I don't know enough about Office to know if its something to worry about or not. Everything else I see looks pretty normal to me. You might want to check back in a few and see what Jacee says to be sure.
      My Computer
    Quote Quote

  11. Jacee
    Posts : 8,608
    Windows 7 Ultimate 32bit SP1
       New #8

    The HJT log shows nothing suspicious, but it still doesn't show an Anti-virus program!
    Will you post a log from Malwarebytes please?
      My Computer
    Quote Quote

  12. Nakielobstar
    Posts : 4
    Windows 7 Home
    Thread Starter
       New #9

    Sorry! I must have missed your request. Here it is. Thanks again!

    Malwarebytes' Anti-Malware 1.46
    Malwarebytes

    Database version: 4336

    Windows 6.1.7600
    Internet Explorer 8.0.7600.16385

    7/21/2010 3:05:29 PM
    mbam-log-2010-07-21 (15-05-29).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 217361
    Time elapsed: 1 hour(s), 3 minute(s), 46 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
      My Computer
    Quote Quote

  13. Jacee
    Posts : 8,608
    Windows 7 Ultimate 32bit SP1
       New #10

    What Firewall are you using?
      My Computer
    Quote Quote

 
Page 1 of 2 12 LastLast

  Related Discussions
Hijack File
in BSOD Help and Support

I'm new here so sorry if this is in the wrong place. I did a scan on my laptop tonight with malwarebytes and it found a file called pmuhijack, I was just wondering if someone could tell what exactly a file like this does and how I could keep from getting another in the future. I'm not real familiar...
What can I get rid of? I notice i have alot of "missing files" on alot of the services. MY log file is as follows: ----------------------------------------------------------------------- Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 9:34:40 PM, on 11/20/2011 Platform: Windows 7...
Hijack this log
in Browsers & Mail

Hi i Was Told to do a hijack this scan to see what was causing my ie pop up problem eventhough im using fire fox. judt wondering if any of you can tell me what needs deleting and fixing. Heres My Log Logfile of HijackThis v1.99.1 Scan saved at 16:32:47, on 29/11/2010 Platform:...
Not sure if anyone has posted on this tool (or similar tools) yet, but security Exploded makes incredible tools, especially Anti Rootkit tools and Root kit detection tools, so I was happy to learn about this: rmhsCBMIJnA
IE 8 hijack
in System Security

OK boys and girls. It seems that I've been jacked. But not really a quality job in my book. I started noticing little quirks in IE 8 (x86) yesterday.Little flickers here and there. As well as the navigation bar having had switched the refresh/stop buttons to the opposite side, "IE" warnings(see...
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

 © Designer Media Ltd
All times are GMT -5. The time now is 07:20.
Find Us