Tech Talk Discuss PC Hardware, Software, Internet and Other Technology

Hijack This Help - really messed up computer

Old 09-01-05, 07:19 AM
  #1  
Member
Thread Starter
 
Join Date: Aug 2000
Posts: 227
Hijack This Help - really messed up computer

I am helping a friend get his computer working - kind of like the blind leading the blind - so I need help from you experts. The pc is filled with all kinds of viri, etc. I followed the instructions in the 'readme' section. Now I am posting the HJT log. Thanks for any help.


Logfile of HijackThis v1.99.1
Scan saved at 8:13:19 AM, on 9/1/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\TEMP\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yoursearch.ws/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yoursearch.ws/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll (file missing)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1104723381670
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O21 - SSODL: AOL Instant Messenger - {7AE709E2-FA6C-9AAD-10CE-E91BC0A72120} - (no file)
O21 - SSODL: AproposClient - {31BBED76-227C-9EC1-C934-611C7124C7E4} - (no file)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
buffotoad is offline  
Old 09-01-05, 03:11 PM
  #2  
DVD Talk Ultimate Edition
 
Join Date: Dec 2001
Location: Carrollton, Ga
Posts: 4,809
Download and install Ad-Aware and Spybot. Update definitions after you intall them. Both are free programs. Run them and remove everything they identify. Also, download Microsoft Anti-Spyware, run it. Then run your AV program. See if it identifies any viruses, worms, or trojans, if so remove them. Then run HiJackThis again and post the log here.

I also recommend after doing all of that, download CrapCleaner or RegSeeker, and clean out your registry of all the leftover junk. But make a backup just to be on the safe side. These are also free programs.

The problem is, even if you remove the offending stuff on HiJackThis, you still probably have a ton of malware on your computer.

Last edited by Terrell; 09-01-05 at 03:15 PM.
Terrell is offline  
Old 09-02-05, 07:28 AM
  #3  
Member
Thread Starter
 
Join Date: Aug 2000
Posts: 227
Terrell - I ran Ad-Aware, Spybot, MS Ant-Spyware and Avast. They found and cleaned a lot of junk.

Question - there are 4 accounts on this computer. I ran the above for one of them Do I need to run the above for all 4 accounts?

I will post a new HJT log after finding out the answer to the above question.

Thanks for your help.
buffotoad is offline  
Old 09-02-05, 12:23 PM
  #4  
Member
Thread Starter
 
Join Date: Aug 2000
Posts: 227
Terrell - I went ahead and ran the programs you suggested for all 4 users to save time. Here is the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 1:19:43 PM, on 9/2/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\wuauclt.exe
C:\TEMP\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1104723381670
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Thanks for your help.
buffotoad is offline  
Old 09-02-05, 12:25 PM
  #5  
DVD Talk Ultimate Edition
 
Join Date: Dec 2001
Location: Carrollton, Ga
Posts: 4,809
Yeah, each account needs to be cleaned, just to be on the safe side.

If you ran all those programs, they should have done a great job cleaning your computer. Though nothing is completely foolproof. That's why I advised you to run numerous programs.

Last edited by Terrell; 09-02-05 at 12:32 PM.
Terrell is offline  
Old 09-02-05, 02:05 PM
  #6  
DVD Talk Ultimate Edition
 
Join Date: Dec 2001
Location: Carrollton, Ga
Posts: 4,809
Okay, the only things that look suspicious to me are these. These are search bars or toolbars that get installed on your PC, otherwise known as browser hijacks. Windupdates is a trojan downloader.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)


Everything else looks pretty good. AIM is AOL Instant Messenger. I assume you use that.

Last edited by Terrell; 09-02-05 at 02:07 PM.
Terrell is offline  
Old 09-02-05, 04:57 PM
  #7  
Member
Thread Starter
 
Join Date: Aug 2000
Posts: 227
Terrell, I am not able to make the changes you suggested above.

I ran Regseeker to clean up the registry junk. Now XP won't start at all - all I get is a blue screen that says Windows XP, with none of the 4 accounts listed. I have a cursor arrow that I can move around, but nothing to select to get any further.

When I ran Regseeker I checked-off 'make a backup', but I am unable to get into XP to get to the back-up.

I have tried going into 'safe mode' but that stops while drivers are loading.

Any ideas?
buffotoad is offline  
Old 09-02-05, 05:20 PM
  #8  
DVD Talk Ultimate Edition
 
Join Date: Dec 2001
Location: Carrollton, Ga
Posts: 4,809
I ran Regseeker to clean up the registry junk. Now XP won't start at all - all I get is a blue screen that says Windows XP, with none of the 4 accounts listed. I have a cursor arrow that I can move around, but nothing to select to get any further.
Nothing we did should have caused that. Can you bring up the taskbar by using CTRL-ALT-DELETE?

Also, have you ever repaired a Windows installation before?
Terrell is offline  
Old 09-02-05, 05:37 PM
  #9  
Member
Thread Starter
 
Join Date: Aug 2000
Posts: 227
No, cannot bring up task bar - cannot do anything but move the mouse cursor, but there is nothing to select.

When booting into other modes by pressing F8, it hangs on AGP440.SYS, or something like that.

I have been reading about getting into the recovery console. From what I have read, it looks like I will need the admin password - I don't know what it is. I suspect that the owner of the pc may not know it either.

Is the recovery console where we are headed? What if the owner doesn't know the admin password?

Thanks for your help.
buffotoad is offline  
Old 09-02-05, 05:38 PM
  #10  
DVD Talk Ultimate Edition
 
Join Date: Dec 2001
Location: Carrollton, Ga
Posts: 4,809
You may need to repair the XP installation. I have no idea what happened, but I'll stick with you until we get it solved. If anyone else wants to jump in, be my guest. Here's a guide on how to start a Windows XP repair.

1/ Before you proceed make sure that your pc is set, via the BIOS, to be able to boot from a CD.

2/ If you cannot boot from your CD you can always use a Windows 98/Me startup disk to begin the install. Boot to the DOS 'A' prompt, making sure you select the option to install CD drivers. Once at the 'A' prompt change the drive letter to that of your CD-ROM and then locate the I386 Folder on the CD. Once you have changed to the I386 directory type, at the prompt, WINNT.EXE and press Enter.

3/ Insert your Windows XP CD into the CD-ROM and reboot your PC

4/ Your system will reboot and the an option will appear which sates 'Press any key to boot from CD'

5/ Press any key and the Windows XP setup will begin to load from the CD

6/ At the 'Welcome to Setup' screen press Enter

7/Setup will search your hard drive for any copies of Windows. When it locates a copy you will be asked whether you wish to Install a new copy or Repair

8/ In this instance press the 'Setup Windows XP Now' option by pressing Enter

9/ On NO ACCOUNT press the Repair option. At this stage this will only invoke the Recovery Console and you do not want that option.

10/The licence agreement should be the next thing that pops up on screen. Press F8 to accept the agreement

11/ In the next window you will see a list of your hard drive. If you only have one copy of Windows installed this will be all that is in the box. If you have multiple copies of Windows operating systems these will also be displayed.

12/ Make sure the Windows copy you wish to repair is highlighted and then Press the 'R' key to begin the repair operation

13/ Now follow the onscreen instructions to repair your installation
Terrell is offline  
Old 09-02-05, 05:48 PM
  #11  
DVD Talk Ultimate Edition
 
Join Date: Dec 2001
Location: Carrollton, Ga
Posts: 4,809
What if the owner doesn't know the admin password?
That could be a problem. Hopefully someone knows it. You probably have to have the password. Here's what Microsoft says about this.

http://support.microsoft.com/default...b;en-us;324764

Last edited by Terrell; 09-02-05 at 05:54 PM.
Terrell is offline  
Old 09-02-05, 06:01 PM
  #12  
Member
Thread Starter
 
Join Date: Aug 2000
Posts: 227
Terrell - what is referenced in your link is exactly what is happening.

I am trying to contact the pc's owner to see if he knows the password, but am getting no answer.

Let's call it a night, and I will post when I get an answer.

Many thanks for your time & effort.
buffotoad is offline  
Old 09-02-05, 06:23 PM
  #13  
DVD Talk Ultimate Edition
 
Join Date: Dec 2001
Location: Carrollton, Ga
Posts: 4,809
No problem buffotoad. Glad to help. Sorry you encountered this problem after RegSeeker. I've used both RegSeeker and CrapCleaner for the past two year with no problem ever encountered.

I don't believe this is a registry integrity problem. All signs point to a driver problem. Through research, I've found out some people have solved the problem by removing their USB mouse, others by removing their DVD drive, others by updating their BIOS.

My advice, follow Microsoft's instructions first. Then we'll go from there.
Terrell is offline  
Old 09-03-05, 08:35 AM
  #14  
Member
Thread Starter
 
Join Date: Aug 2000
Posts: 227
Terrell, no need to go further with this. As I suspected, the owner didn't know the admin password. I had a utility that I had used in the past that booted from a floppy and allowed changing of the admin password, but that didn't work. So it looked like XP recovery wasn't going to happen.

I'm guessing the pc had too many problems for my level of expertise - viri, etc, were apparent and with your help, were nearly fixed. I didn't realize there were probably registry problems, driver problems, and who knows what else. With your help I was trying to get it running again, but something irrepairable got whacked along the way.

Anyway, my friend wasn't opposed to my just starting from scratch. I layed down a fresh copy of XP and set it up with the usual suite of free protection utilities for him (none of which he was originally running).

I really want to thank you for your time & help. I'm not at your level, but I hope maybe some day I will be able to answer a question for you (or someone else) in an area that I have some knowledge in.

Thanks again!
buffotoad is offline  
Old 09-03-05, 10:23 AM
  #15  
DVD Talk Ultimate Edition
 
Join Date: Dec 2001
Location: Carrollton, Ga
Posts: 4,809
I really want to thank you for your time & help.
You're more than welcome buffotoad. Assuming all the important things are backed up, a fresh install of XP will solve all his problems.
Terrell is offline  

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Thread Tools
Search this Thread

Archive Advertising Cookie Policy Privacy Statement Terms of Service

Copyright 2018 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.