TechSpot

I know you all are probably tired of these HJT views

By drkfada
Feb 1, 2007
  1. I'm sorry....but I really tried to find these things on my own...but i need an assist on this one attached is my HJT.txt file thank you all in advance. You probably can tell from my log..the defensive measures I've taken to keep this from happening...but it did. I'm receiving the program is being used error msg. WHen i do a start run/cmd and when i try to go into the c: prompt view.
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    winlog

    Close the services window.


    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    vbteq.exe
    hwahcgu.exe
    winlog.exe
    Regclean.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R3 - URLSearchHook: (no name) - _{9B468925-C1BF-C300-44D2-8AC018FC90BF} - (no file)

    F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\vbteq.exe

    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,hwahcgu.exe

    O4 - HKLM\..\RunServices: [winlog] winlog.exe

    O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner Trial\Regclean.exe" -startminimize

    O4 - Global Startup: svchost.exe

    O8 - Extra context menu item: Html To Image - C:\Program Files\Html To Image\menu.htm

    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

    O17 - HKLM\System\CCS\Services\Tcpip\..\{2C20A48E-D848-450D-94D1-D736E0E57C38}: NameServer = 205.171.3.65,205.171.2.65

    O17 - HKLM\System\CS1\Services\Tcpip\..\{2C20A48E-D848-450D-94D1-D736E0E57C38}: NameServer = 205.171.3.65,205.171.2.65

    O17 - HKLM\System\CS2\Services\Tcpip\..\{2C20A48E-D848-450D-94D1-D736E0E57C38}: NameServer = 205.171.3.65,205.171.2.65

    Only fix the above 017 entries if they don`t belong to your ISP.

    O18 - Protocol: bt2 - {1730B77B-F429-498F-9B15-4514D83C8294} - (no file)

    O18 - Filter: application/x-bt2 - {6E1DDCE8-76BC-4390-9488-806E8FB1AD77} - (no file)

    O20 - Winlogon Notify: MS-DOS Emulation - C:\WINDOWS\system32\f40o0ed3eh0.dll

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe<Do not delete any other svchost.exe file.

    C:\WINDOWS\system32\vbteq.exe
    C:\WINDOWS\system32\userinit.exe,hwahcgu.exe

    winlog.exe<Search your system for this file and delete all instances found. Not to be confused with winlogon.exe

    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted. If your computer doesn`t automatically restart, restart it manually.

    This is the filepath you need to enter into killbox.

    C:\WINDOWS\system32\f40o0ed3eh0.dll

    Reboot into normal mode and rehide your protected OS files.

    Post a fresh HJT log as well as an AVG Antispyware log. Instructions for downloading, installing and running AVG Antispyware can be found in this thread HERE.

    Regards Howard :wave: :wave:

    This thread is for the use of drkfada only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. drkfada

    drkfada TS Rookie Topic Starter

    thx for getting back to me i can notice the change on my system now that i can access my run command and so on..but i think i messed up my internet explorer when i deleted the 017 entries...i couldn't tell they were related to my ISP..but apparently they were becasue i can't go anywhere on the net. I can bringup the browser...but that's it. So i have to figure a way to restore taht then i can shoot you the information from my hijackthis log. Once again thx.
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Ok, do the following. Run HJT and click on the config button, followed by the Backups button. Locate the 017 entries in the list and place a tick in the little box next to them. Click the restore button/yes. Close HJT and reboot your system, your internet should now work.

    Regards Howard :)

    This thread is for the use of drkfada only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. drkfada

    drkfada TS Rookie Topic Starter

    thx YOUR THE MAN!!!
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Post a fresh HJT log as well as an AVG Antispyware log. Instructions for downloading, installing and running AVG Antispyware can be found in this thread HERE.

    Regards Howard :)

    This thread is for the use of drkfada only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. drkfada

    drkfada TS Rookie Topic Starter

    will i have to run HJT in safe mode? or from the regular XP mode
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Run AVG Antispyware in safe mode and HJT in normal mode after you`ve done the AVG scan.

    Regards Howard :)

    This thread is for the use of drkfada only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. drkfada

    drkfada TS Rookie Topic Starter

    couldn't spit out the avg log for some reason it locked here's my new hjt. Should i delete the things found in AVG or use the recommended function?
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I really need to see an AVG Antispyware log, although I do appreciate you`re having problems with it. You should change the recommended action to quarantine.

    Your HJT log is still infected with various nasties.

    Download combofix.exe. Double click combofix.exe & follow the prompts. A window will open with a warning. Type "Y" (and Enter) to start the fix. When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log and an AVG Antispyware log if you can. Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

    Regards Howard :)

    This thread is for the use of drkfada only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. drkfada

    drkfada TS Rookie Topic Starter

    Here's all of the reports..
     
  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    That`s looking much better.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

    Click on the fix checked button.

    Close HJT.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    hsnpovgz.exe

    Close task manager.

    Locate and delete the following bold files and/or directories(if there).

    C:\WINDOWS\SYSTEM32\hsnpovgz.exe

    Reboot into normal mode and rehide your protected OS files.

    Post a fresh AVG Antispyware log and let me know if you`re still having problems.

    Regards Howard :)

    This thread is for the use of drkfada only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...