TechSpot

HJT Log

By d00dette
Oct 23, 2006
  1. Hello,

    Here's my HJT log. Any advice on what to fix (I'm pretty sure there must be something) would be greatly appreciated.

    Cheers,

    Sophie
     

    Attached Files:

  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    Network Monitor
    ToolBar888

    Close control panel.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    Network Monitor

    Close the services window.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    netmon.exe
    _mzu_stonedrv8.exe
    ibm00001.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"

    O3 - Toolbar: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{38EBB736-0746-2057-0605-06030705002c}\MyToolBar.dll

    O4 - HKLM\..\Run: [_mzu_stonedrv8] c:\windows\system32\_mzu_stonedrv8.exe

    O4 - HKLM\..\RunServices: [_mzu_stonedrv8] c:\windows\system32\_mzu_stonedrv8.exe

    O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"

    O4 - HKCU\..\Run: [_mzu_stonedrv8] c:\windows\system32\_mzu_stonedrv8.exe

    O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Installer Class) - http://activex.matcash.com/speedtest2.dll

    O17 - HKLM\System\CCS\Services\Tcpip\..\{E3B70425-72A6-46A9-8FED-8D414936CD85}: NameServer = 131.111.8.42,131.111.12.20<Only fix this if it doesn`t belong to your ISP.

    O20 - Winlogon Notify: Explorer - C:\WINDOWS\system32\k4pm0e71eh.dll (file missing)

    O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - (no file)

    O21 - SSODL: JFiSXGS - {A8EBB737-0241-1D9D-7204-B91E9E0BDE6D} - C:\WINDOWS\system32\zcen.dll (file missing)

    O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\Program Files\Network Monitor Delete the entire folder.

    c:\windows\system32\_mzu_stonedrv8.exe

    C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe

    C:\Program Files\Common Files\{38EBB736-0746-2057-0605-06030705002c}

    Reboot into normal mode, turn system restore back on and rehide your protected OS files.

    Post a fresh HJT log along with an AVG antispyware log. Let me know how your system is running.

    Regards Howard :wave: :wave:

    This thread is for the use of d00dette only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. d00dette

    d00dette TS Rookie Topic Starter Posts: 21

    Hi Howard,

    Thanks for all your info - I'll get to it ASAP. Just a quick question - since I'm the only person using my laptop, doesn't that mean I have to boot in Administrator mode?

    Thanks,

    Sophie
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Please follow the instructions as presented, that includes booting into safe mode under you usual user name.

    Regards Howard :)

    This thread is for the use of d00dette only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. d00dette

    d00dette TS Rookie Topic Starter Posts: 21

    Hi Howard,

    Thanks for all your help - my system seems to be running normally now. I was wondering, though: how would I know if this file:

    O17 - HKLM\System\CCS\Services\Tcpip\..\{E3B70425-72A6-46A9-8FED-8D414936CD85}: NameServer = 131.111.8.42,131.111.12.20

    belongs to my ISP or not?

    Cheers,

    Sophie

    P.S. HJT log attached.

    Sorry, here it is. Glancing at it again, I see that Toolbar888's still there..
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Edit:Your HJT log is now clean.

    Have HJT fix this inactive entry.

    O3 - Toolbar: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{38EBB736-0746-2057-0605-06030705002c}\MyToolBar.dll (file missing)

    THIS is the info that comes up on a Whois search for that ip address.

    Cambridge university. If that`s correct, then don`t fix the 017 entry.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of d00dette only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. d00dette

    d00dette TS Rookie Topic Starter Posts: 21

    Yes, that's right. Glad I didn't delete it. HJT log in my previous post above.
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I have edited my post above because our posts crossed.

    Regards Howard :)

    This thread is for the use of d00dette only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. d00dette

    d00dette TS Rookie Topic Starter Posts: 21

    When I right click on my toolbar, toolbar888 still comes up as an option. Does this mean it's not fully removed from the system?

    Cheers,

    Sophie
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Please post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of d00dette only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. d00dette

    d00dette TS Rookie Topic Starter Posts: 21

    Also, viruses are still popping up...
     
  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    In that case, please give me details.

    Post fresh HJT and I require a fresh AVG Antispyware log. You can find instructions for AVG Antispyware HERE.

    Regards Howard :)

    This thread is for the use of d00dette only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  13. d00dette

    d00dette TS Rookie Topic Starter Posts: 21

    Here it is. Will be away from computer for next few hours so will leave it turned off.

    Cheers,

    Sophie
     
  14. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Download the Pocket Killbox programme from HERE. Extract it to your desktop.

    Run HJT with no other programmes open. Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O3 - Toolbar: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{38EBB736-0746-2057-0605-06030705002c}\MyToolBar.dll (file missing)

    Click on the fix checked button.

    Close HJT.

    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

    This is the filepath you need to enter into killbox.

    C:\Program Files\Common Files\{38EBB736-0746-2057-0605-06030705002c}\MyToolBar.dll

    Once your system has rebooted, post a fresh HJT log. You must also install run and attach the AVG antispyware log as per these instructions HERE.


    Regards Howard :)

    This thread is for the use of d00dette only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  15. d00dette

    d00dette TS Rookie Topic Starter Posts: 21

    When I try to delete the file using Killbox it gives me this message:

    PendingFileRenameOperations Registry Data has been removed by External Process!

    Any advice?

    Cheers,

    Sophie
     
  16. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Post the log files I asked for please.

    Regards Howard :)

    This thread is for the use of d00dette only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  17. d00dette

    d00dette TS Rookie Topic Starter Posts: 21

    Here you go.

    Cheers,

    Sophie
     
  18. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I have asked you several times to post an AVG Antispyware log. Despite this, no such log has been posted.

    Unless you post an AVG Antispyware log I can`t help you any further.

    Regards Howard :(

    This thread is for the use of d00dette only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  19. d00dette

    d00dette TS Rookie Topic Starter Posts: 21

    Here is an HJT log and an AVG Anti-spyware report.

    Cheers,

    Sophie
     
  20. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Delete all files in AVG Antispyware quarantine.

    1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

    2. Download the attached avengerscript.txt and save it to your desktop

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Now, start The Avenger program by double clicking on its icon on your desktop.

    Under "Script file to execute" choose "Load script from file".
    Now click on the folder icon which will open a new window titled "open Script File"
    navigate to the file you have just downloaded, click on it and press open
    Now click on the Green Light to begin execution of the script
    Answer "Yes" twice when prompted.

    4. The Avenger will automatically do the following:

    It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    On reboot, it will briefly open a black command window on your desktop, this is normal.
    After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

    5. Please copy/paste the content of c:\avenger.txt into your reply.

    when it reboots and post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of d00dette only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  21. d00dette

    d00dette TS Rookie Topic Starter Posts: 21

    Logfile of The Avenger version 1, by Swandog46
    Running from registry key:
    \Registry\Machine\System\CurrentControlSet\Services\rmctyxma

    *******************

    Script file located at: \??\C:\tpofhsxv.txt
    Script file opened successfully.

    Script file read successfully

    Backups directory opened successfully at C:\Avenger

    *******************

    Beginning to process script file:

    File C:\Documents and Settings\Sophie Erskine\Local Settings\Temporary Internet Files\Content.IE5\IBUJI1YF\speedtest2[1].dll deleted successfully.
    File C:\Documents and Settings\Sophie Erskine\Local Settings\Temp\ICD1.tmp\UWA6P_0001_N91M1807NetInstaller.exe deleted successfully.
    File C:\Documents and Settings\Sophie Erskine\Local Settings\Temp\ICD2.tmp\UWA6P_0001_N91M1807NetInstaller.exe deleted successfully.


    Could not open file C:\Documents and Settings\Sophie Erskine\Local Settings\Temp\Temporary Internet Files\Content.IE5\0A2LM56Y\WinAntiVirusPro2006FreeInstall[1].cab/UWA6P_0001_N91M1807NetInstaller.exe for deletion
    Deletion of file C:\Documents and Settings\Sophie Erskine\Local Settings\Temp\Temporary Internet Files\Content.IE5\0A2LM56Y\WinAntiVirusPro2006FreeInstall[1].cab/UWA6P_0001_N91M1807NetInstaller.exe failed!

    Could not process line:
    C:\Documents and Settings\Sophie Erskine\Local Settings\Temp\Temporary Internet Files\Content.IE5\0A2LM56Y\WinAntiVirusPro2006FreeInstall[1].cab/UWA6P_0001_N91M1807NetInstaller.exe
    Status: 0xc0000033

    File C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWA6P_0001_N91M1807NetInstaller.exe deleted successfully.
    File C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UWA6P_0001_N91M1807NetInstaller.exe deleted successfully.


    Could not open file C:\WINDOWS\Downloaded Program Files\CONFLICT.3\UWA6P_0001_N91M1807NetInstaller.exeC:\WINDOWS\Downloaded Program Files\UWA6P_0001_N91M1807NetInstaller.exe for deletion
    Deletion of file C:\WINDOWS\Downloaded Program Files\CONFLICT.3\UWA6P_0001_N91M1807NetInstaller.exeC:\WINDOWS\Downloaded Program Files\UWA6P_0001_N91M1807NetInstaller.exe failed!

    Could not process line:
    C:\WINDOWS\Downloaded Program Files\CONFLICT.3\UWA6P_0001_N91M1807NetInstaller.exeC:\WINDOWS\Downloaded Program Files\UWA6P_0001_N91M1807NetInstaller.exe
    Status: 0xc0000033

    File C:\WINDOWS\Temp\ICD1.tmp\UWA6P_0001_N91M1807NetInstaller.exe deleted successfully.


    Could not open file C:\Program Files\Common Files\{38EBB736-0746-2057-0605-06030705002c}\MyToolBar.dll for deletion
    Deletion of file C:\Program Files\Common Files\{38EBB736-0746-2057-0605-06030705002c}\MyToolBar.dll failed!

    Could not process line:
    C:\Program Files\Common Files\{38EBB736-0746-2057-0605-06030705002c}\MyToolBar.dll
    Status: 0xc000003a


    Completed script processing.

    *******************

    Finished! Terminate.
     
  22. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O3 - Toolbar: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{38EBB736-0746-2057-0605-06030705002c}\MyToolBar.dll (file missing)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\Program Files\Common Files\{38EBB736-0746-2057-0605-06030705002c}\MyToolBar.dll Let me know if you manage to find this file.

    Reboot into normal mode, turn system restore back on and rehide your protected OS files.

    Post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of d00dette only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  23. d00dette

    d00dette TS Rookie Topic Starter Posts: 21

    Here it is - Toolbar888's still there, I'm afraid.. Shall I try Killbox again?

    Cheers,

    Sophie

    Oh, and the bold file wasn't there.
     
  24. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Ok, go HERE and follow the instructions. I would have told you earlier, but I have only just discovered this as of yesterday.

    Post a fresh HJT log when done.

    Regards Howard :)

    This thread is for the use of d00dette only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  25. d00dette

    d00dette TS Rookie Topic Starter Posts: 21

    Hi Howard,

    Thanks for the link - it picked up on a whole new set of stuff. The only thing is, in order to remove anything, I need to pay for the full version..

    I've attached the support log for this new program. Any advice?

    Cheers,

    Sophie

    PS. shall I try to remove it manually?
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...