TheTechGuide Forum

General Category => Tech Clinic => Topic started by: Derek on October 24, 2004, 12:05:15 PM

Title: HijackThis Logfile Help
Post by: Derek on October 24, 2004, 12:05:15 PM

Here's my logfile, but before that I think I have tried and done everything that was out there to do, but i'm still encountering the same problems.  WhenUSave first of all, then having a problem with stcloader.exe, and lately a file called: ptikik.exe, it's been deleted before but comes back just like savenow.  One of the issues has also caused my external cd burner not to work.

Logfile of HijackThis v1.98.2
Scan saved at 1:05:19 PM, on 10/24/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\kwulul.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AIM\aim.exe
C:\HJT\HijackThis19802.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cornflakes.netfirms.com/corn/plugin (http://\"http://cornflakes.netfirms.com/corn/plugin\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/...://my.yahoo.com (http://\"http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...://my.yahoo.com (http://\"http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [O2USB] o2usb.exe
O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\System32\stcloader.exe
O4 - HKLM\..\Run: [WhenUSave] C:\Program Files\Save\Save.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ 4 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

Title: HijackThis Logfile Help
Post by: guestolo on October 24, 2004, 12:39:00 PM

Let's try this Derek

First, could you download and save IEFIX.zip (http://\"http://www.mytechsupport.ca/helpwithpcs/uploaded/benditup/200410317140_IEFIX.zip.zip\")
to desktop
UNZIP it to your desktop for easy access later, don't run it yet
This will restore your default search settings and home page settings

Set Windows to Show Hidden Files and Folders (http://\"http://www.xtra.co.nz/help/0,,4155-1916458,00.html\")

Navigate to this file --C:\Documents and Settings\All Users\Start Menu\Programs\Startup\kwulul.exe <--file
Right click on it--left click on properties and version
Do you know what it's related too
Please run it through these free online file scanners
Simply use the Browse button to navigate to the file
Right click on it-----Select---Submit

http://www.kaspersky.com/scanforvirus (http://\"http://www.kaspersky.com/scanforvirus\")
http://www.ravantivirus.com/scan/indexn.php (http://\"http://www.ravantivirus.com/scan/indexn.php\")

I will assume the file is bad for now, unless you know what it is
Could you also search for this file o2usb.exe It looks legit, but run it through the scanners too
When searching click on the Advanced Options in Search, ensure the bolded search details are checked

Open Hijackthis>>>Config>>Misc Tools>>Open Process Manager
Kill this
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\kwulul.exe

Disconnect from the Internet completely
Do another Scan with Hijackthis and put a check next to these entries
and then FIX CHECKED when ALL other windows are closed, including this one

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cornflakes.netfirms.com/corn/plugin (http://\"http://cornflakes.netfirms.com/corn/plugin\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/...://my.yahoo.com (http://\"http://red.clientapps.yahoo.com/customize/...://my.yahoo.com\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...://my.yahoo.com (http://\"http://red.clientapps.yahoo.com/customize/...://my.yahoo.com\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\System32\stcloader.exe
O4 - HKLM\..\Run: [WhenUSave] C:\Program Files\Save\Save.exe

RESTART your Computer in SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039?OpenDocument&ExpandSection=4#_Section4\")

Access your Add/Remove Programs and Remove if found
WhenUSave
SaveNow
Save


Find and delete these files or folders it they exist
C:\WINDOWS\System32\stcloader.exe <--file
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\kwulul.exe <--file, if unknown or found bad

C:\Program Files\Save <--folder

Do a DiskCleanup>>START----Run---type in cleanmgr
Ensure that Temp and Temporary Internet Files are checked

Double click onIEFIX.reg that you extracted earlier on desktop and Allow it to merge to the registry

RESTART back into Normal Mode
Access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Delete files + offline content---Also Reset home page

Ensure Spybot and Ad-Aware are right up to date and run scans with both
Run a Full System scan with Ad-aware
Ensure you Restart your computer if anything fixed

Post back a fresh hijackthis log