Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Hijack This Log File Help

21 Jul 2010   #1
Nakielobstar

Windows 7 Home
 
 
Hijack This Log File Help

I recently have been having problems with my browser (Firefox 3.6.6) redirecting me when clicking links to ads as well as new tabs opening up with ads in them. Some links I can no longer even open for they open into an ad 100% of the time. These links I also know to be legitimate. A friend told me I should run hijack this and post the log file on one of the many forums. So here it is, any help would be greatly appreciated!

I am a Windows 7 Home user, 32 bit.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:23:13 AM, on 7/21/2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5577
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [hsehf98u34i9tjioaugy987iuegdsg] C:\Users\Nate\AppData\Local\Temp\avp32.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Uqoyeburimuqujuz] rundll32.exe "C:\Users\Nate\AppData\Local\fved1642.dll",Startup (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Uqoyeburimuqujuz] rundll32.exe "C:\Users\Nate\AppData\Local\fved1642.dll",Startup (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} (VodClient Control Class) - Vexcast.com - Stream Yourself - All Stream
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~1\Office12\GRA32A~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: LogMeIn Hamachi 2.0 Tunneling Engine (Hamachi2Svc) - LogMeIn Inc. - C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PinnacleUpdate Service (PinnacleUpdateSvc) - Unknown owner - C:\Program Files\KALiNKOsoft\Pinnacle Game Profiler\pinnacle_updater.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

--
End of file - 4978 bytes


My System SpecsSystem Spec
.
21 Jul 2010   #2
Petey7

Windows 7 Professional SP1 64-bit
 
 

"O4 - HKCU\..\Run: [hsehf98u34i9tjioaugy987iuegdsg] C:\Users\Nate\AppData\Local\Temp\avp32.exe"

It is my undersranding that this is part of the VirTool:Win32/Obfuscator virus. All I can find on it just says that it installs other malware on the computer. Microsofts website says that the symptoms can be almost anything and that the alert level is severe. All I know to try is boot into safe mode and empty out you temp folders. You can open my computer and right click your hard drive, then run disk clean up to empty the temp folders. You may have other problems and this might not solve the one are having now. Give it a try and write back, or you can wait for right now and see if anyone else responds.
My System SpecsSystem Spec
21 Jul 2010   #3
thathagat

windows 7 ultimate 64 bit,Windows 7 ultimate 32 bit,Windows XP sp3 home
 
 

hi.........d/l mbam update it and scan.... follow it with a scan by hitman pro
My System SpecsSystem Spec
.

21 Jul 2010   #4
Jacee
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

You've picked up a Bot ... You will need to change ALL your passwords using a known "clean" computer, not this one.
Quote:

This malware drops a copy of itself into the network shares by using NetBEUI to obtain a list of user names and passwords. It uses the following file names:
  • AVP-32.EXE
It generates IP addresses and attempts to drop a copy of itself into the following default shares:
  • c$
  • d$
  • e$
  • print$
  • admin$
I don't see any antivirus software ... download Microsoft Security Essentials
http://www.microsoft.com/security_essentials/

Rescan with HJT check these items:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5577

O4 - HKCU\..\Run: [hsehf98u34i9tjioaugy987iuegdsg] C:\Users\Nate\AppData\Local\Temp\avp32.exe
O4 - HKUS\S-1-5-18\..\Run: [Uqoyeburimuqujuz] rundll32.exe "C:\Users\Nate\AppData\Local\fved1642.dll",Startup (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Uqoyeburimuqujuz] rundll32.exe "C:\Users\Nate\AppData\Local\fved1642.dll",Startup (User 'Default user')

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O16 - DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} (VodClient Control Class) - Vexcast.com - Stream Yourself - All Stream

Close all windows except HJT, then click 'fix checked'. Exit HJT.

Reboot into safe mode
Restart the computer
Immediately begin tapping the <F8> key.
Use the arrow keys to highlight Safe Mode and press the <Enter> key.
  1. Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate and delete the entry:
    AVP-SE="avp-32.exe"
  4. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>RunServices
  5. In the right panel, locate and delete the entry:
    AVP-SE="avp-32.exe"
  6. In the left panel, locate and delete the following registry key:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>AVP-SE
  7. Close Registry Editor.
Now Copy and paste these lines in Note pad.
@Echo on
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
ipconfig /release
ipconfig /renew
ipconfig /flushdns
netsh winsock reset all
netsh int ip reset all
shutdown -r -t 1
del %0

Save as flush.bat to your desktop. Right click and run as Administrator, your computer will reboot itself.

download Malwarebytes' Anti-Malware to your desktop
|MG| Malwarebytes Anti-Malware 1.46 Download
* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location. Copy and Paste that log into your next reply.

Post a fresh HJT log too.
My System SpecsSystem Spec
21 Jul 2010   #5
Petey7

Windows 7 Professional SP1 64-bit
 
 

I'm glad to see Jacee knew exactly what to do. When it comes to removing malware, I usually track down post like hers and follow the instructions given. Let us know how everything goes.
My System SpecsSystem Spec
21 Jul 2010   #6
Nakielobstar

Windows 7 Home
 
 

To: Petey7, Thathagat, and Jacee

Here's what I did, and it worked:

1. I followed Petey7's advice and fixed this issue with hijackthis "O4 - HKCU\..\Run: [hsehf98u34i9tjioaugy987iuegdsg] C:\Users\Nate\AppData\Local\Temp\avp32.exe"

2. I downloaded and ran both malwarebytes and hijackthis--both found issues to fix.

3. I used windows clean up followed by ccleaner

4. I restarted and allowed for the appropriate programs to "do their thing" and fix remnant issues.

A special thanks to all of you for your help!

Jacee: I sincerely appreciate your advice; however, as I am quite a novice in computer workings, and because I do not have a printer near by, I tried the automated steps first. <3

I am now (I think) virus free! Thanks to you all for helping me fix my <3Firefox<3

**Please let me know if what I did should have worked, or if there is more... Thank you! =)

EDIT: Here is the log file as requested.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:09:08 PM, on 7/21/2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~1\Office12\GRA32A~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: LogMeIn Hamachi 2.0 Tunneling Engine (Hamachi2Svc) - LogMeIn Inc. - C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PinnacleUpdate Service (PinnacleUpdateSvc) - Unknown owner - C:\Program Files\KALiNKOsoft\Pinnacle Game Profiler\pinnacle_updater.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

--
End of file - 3585 bytes
My System SpecsSystem Spec
21 Jul 2010   #7
Petey7

Windows 7 Professional SP1 64-bit
 
 

All the entries that start with extra look odd to me but I don't know enough about Office to know if its something to worry about or not. Everything else I see looks pretty normal to me. You might want to check back in a few and see what Jacee says to be sure.
My System SpecsSystem Spec
21 Jul 2010   #8
Jacee
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

The HJT log shows nothing suspicious, but it still doesn't show an Anti-virus program!
Will you post a log from Malwarebytes please?
My System SpecsSystem Spec
21 Jul 2010   #9
Nakielobstar

Windows 7 Home
 
 

Sorry! I must have missed your request. Here it is. Thanks again!

Malwarebytes' Anti-Malware 1.46
Malwarebytes

Database version: 4336

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

7/21/2010 3:05:29 PM
mbam-log-2010-07-21 (15-05-29).txt

Scan type: Full scan (C:\|)
Objects scanned: 217361
Time elapsed: 1 hour(s), 3 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
My System SpecsSystem Spec
21 Jul 2010   #10
Jacee
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

What Firewall are you using?
My System SpecsSystem Spec
Reply

 Hijack This Log File Help




Thread Tools




Similar help and support threads
Thread Forum
Hijack File
I'm new here so sorry if this is in the wrong place. I did a scan on my laptop tonight with malwarebytes and it found a file called pmuhijack, I was just wondering if someone could tell what exactly a file like this does and how I could keep from getting another in the future. I'm not real familiar...
BSOD Help and Support
HiJack This log file. Please take a look at my log file
What can I get rid of? I notice i have alot of "missing files" on alot of the services. MY log file is as follows: ----------------------------------------------------------------------- Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 9:34:40 PM, on 11/20/2011 Platform: Windows 7...
System Security
Hijack this log
Hi i Was Told to do a hijack this scan to see what was causing my ie pop up problem eventhough im using fire fox. judt wondering if any of you can tell me what needs deleting and fixing. Heres My Log Logfile of HijackThis v1.99.1 Scan saved at 16:32:47, on 29/11/2010 Platform:...
Browsers & Mail
Yaa! DLL Hijack Auditor: For Microsoft DLL hijack vulnerability
Not sure if anyone has posted on this tool (or similar tools) yet, but security Exploded makes incredible tools, especially Anti Rootkit tools and Root kit detection tools, so I was happy to learn about this: rmhsCBMIJnA
System Security
IE 8 hijack
OK boys and girls. It seems that I've been jacked. But not really a quality job in my book. I started noticing little quirks in IE 8 (x86) yesterday.Little flickers here and there. As well as the navigation bar having had switched the refresh/stop buttons to the opposite side, "IE" warnings(see...
System Security


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 12:32.
Twitter Facebook Google+ Seven Forums iOS App Seven Forums Android App