Tech Support Forum banner
Status
Not open for further replies.
1 - 2 of 2 Posts

· Registered
Joined
·
1 Posts
Discussion Starter · #1 ·
Hi I have the same problem as somebody else in this forum.
My hijack log goes like this.


Logfile of HijackThis v1.99.1
Scan saved at 6:58:58 PM, on 8/15/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
D:\program files\TELUS\FastDial\fastdial.exe
E:\Important stuff\HIJACK~1\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\OOBE\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: WkCalRem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O8 - Extra context menu item: Show All Original Images - res://D:\program files\TELUS\FastDial\fastdial.exe/250
O8 - Extra context menu item: Show Original Image - res://D:\program files\TELUS\FastDial\fastdial.exe/227
O17 - HKLM\System\CCS\Services\Tcpip\..\{39157D99-3A97-4B0C-85A5-32745D56D397}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{61DA81E8-326F-42F1-80D9-C864FD8C2B1B}: NameServer = 216.254.141.13 209.90.160.220
O17 - HKLM\System\CS1\Services\Tcpip\..\{39157D99-3A97-4B0C-85A5-32745D56D397}: NameServer = 192.168.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{39157D99-3A97-4B0C-85A5-32745D56D397}: NameServer = 192.168.0.1
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Workstation Service Library (Microsoft Locator Service) - Unknown owner - C:\WINDOWS\wkssvc.exe (file missing)
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Office Source Engine (ose) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (file missing)
O23 - Service: Microsoft New Game 2 (svehost32) - Unknown owner - C:\WINDOWS\svehost32.exe

Just a little frustrated...
 

· TSF Security Team, Emeritus
Joined
·
26,408 Posts
Hello and Welcome to TSF!

Please subscribe to this thread to get immediate notification of fixes as soon as they are posted.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Please download these additional files/programs :- (Do not run them unless instructed to do so)
Unplug your computer from the Internet when you have finished downloading

CleanUp! - Install

KillBox v2.0.0.175 - Save to Desktop.

rdrivRem.zip - Unzip to Desktop.

UNPLUG YOUR COMPUTER FOM THE INTERNET WHEN YOU HAVE FINISHED DOWNLOADING

Please save the rest of these instructions in Notepad. I have customed my instructions on the assumption that you're using Notepad. It may lead to some confusion if you should choose to do otherwise.

If there's anything that you don't understand, kindly ask your questions before proceeding with the fixes. There should not be any opened browsers when you are carrying out the procedures below.

IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Copy the filename/s listed below.
Select/Highlight all the filenames & then click on Notepad's Edit menu & select Copy
  • C:\WINDOWS\svehost32.exe
    C:\WINDOWS\SYSTEM\OOBE\blank.htm
    C:\WINDOWS\wkssvc.exe
Launch KillBox.exe
  1. Go to the File menu, and choose Paste from Clipboard
    Click the dropdown-arrow next to the Full Path of File to Delete field.
    Verify that the filenames you pasted are found in there.
  2. Select/tick the following:
    • Delete on Reboot
      [*] End Explorer Shell While Killing File
      [*] Unregister dlll Before deleting
      * if it's not grayed out
  3. Click the RED X button.
  4. Click Yes at the Delete on Reboot prompt.
  5. Click Yes at the 'Pending Operations prompt'.
* If you received a message such as: "PendingFileRenameOperations registry data has been removed by external process", you have to restart Windows manually .
* If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe. Then try Killbox again.



= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Reboot to SafeMode
  • Shut Windows down, and then turn off the computer.
  • Restart the computer. The computer begins processing a set of instructions known as the Basic Input/Output System (BIOS). What is displayed depends on the BIOS manufacturer. Some computers display a progress bar that refers to the word BIOS, while others may not display any indication that this process is happening.
  • As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard. Continue to do so until the [Windows Advanced Options] menu appears.
  • Using the arrow keys on the keyboard, scroll to and select the Safe mode menu item, and then press Enter.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

  1. Click Start->Run - type SERVICES.MSC & then click on the OK button
  2. Locate the service - Microsoft New Game 2 (svehost32)
  3. Double-click on it to open the Properties dialog.
  4. Stop the service by using the Stop button.
  5. Change the Startup type to Disabled & then click on the OK button

  6. Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service...
  7. In the popup box that appears, type in svehost32 & then click on the OK button

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Double-click rdrivRem.bat to run the program - follow the instructions on the screen.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

CLOSE ALL OTHER PROGRAMS & ALL OPENED WINDOWS

Run a scan with HiJackThis & select/tick the following & click "Fix checked" :

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\OOBE\blank.htm


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Run Cleanup! using the following configuration:
  1. Click Options...
  2. Move the arrow down to Custom CleanUp!
  3. Put a check next to the following:
    • Empty Recycle Bins
      [*]Delete Cookies
      [*]Delete Prefetch files (Windows XP only)
      [*][X]Scan local drives for temporary files (Please uncheck this option)
      [*]Cleanup! All Users
  4. Click OK
  5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will delete all the files in your temp folders without making a backup


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

REBOOT TO NORMAL MODE

Perform an online scan with Internet Explorer with Panda ActiveScan - requires Internet Explorer

  1. Click on the Scan your PC button & a 'pop up' window shall appear. * ensure that your pop up blocker doesn't block it
  2. Click On 'Scan Now'
  3. Enter your e-mail address & click 'Scan Now' ...begins downloading Panda's ActiveX controls.- 8MB
  4. Begin the scan by selecting My Computer
    * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
  5. If it finds any malware, it will offer you a report. Click on see report
  6. Then click Save report
  7. Post the contents of the report in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

In your next post, please include fresh logs from:
  • HiJackThis log
    [*] Online Scan
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now
 
1 - 2 of 2 Posts
Status
Not open for further replies.
Top