TechSpot

Need help with this Hijack log

By JeffatTT
May 25, 2006
  1. Looks like Smit-Fraud variant.. could someone help me.. advise me what to do next???

    This is part 1 of the HJT file.
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Hello and welcome to Techspot.

    HJT logs should be posted as a .txt attchment.

    Go HERE and follow the instructions. Start at step 3, then do steps 1/2/4/5 etc.

    Post a fresh HJT log as an attachment into this thread, only after doing the above.

    I have moved this thread to our security and the web forum.

    Regards Howard :wave: :wave:
     
  3. JeffatTT

    JeffatTT TS Rookie Topic Starter

    Hijack log... please advise.

    OK... just ran safemode... ran the Smit fraud dos based program to find and clean.

    Here's the latest Hijack file. Also, I noticed on the c drive not only a Windows flolder but a Window.1 and Window.0 folder as well. Additionally, when I booted in safemode, I was given a choice of 3 Windows XP operatiing systems to logon to. I choose the first 1 in the list since they looked identical.

    Please help me.
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

    Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

    Click start/run and type regsvr32 /u C:\WINDOWS.1\system32\shdocvw.dll into the run box and press the enter key. Note the space between the 2 and the forward slash and again between the u and c.

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    Poker.com
    EmpirePokerMaster\EmpirePoker
    PartyGaming\PartyCasino
    PartyGaming\PartyPoker
    PartyGaming.Net\PartyPokerNet

    Close control panel.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    poker.exe
    RunEPoker.exe
    RunCasino.exe
    RunApp.exe
    RunPF.exe

    Close task manager.

    Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

    R3 - Default URLSearchHook is missing

    O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)

    O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS.1\system32\shdocvw.dll

    O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\poker.exe

    O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe (file missing)

    O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe (file missing)

    O9 - Extra button: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe

    O9 - Extra 'Tools' menuitem: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe

    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe

    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe

    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS.1\system32\Shdocvw.dll

    O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)

    O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)

    Fix all 016-DPF entries.

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files(if there).

    C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
    C:\WINDOWS.1\system32\Shdocvw.dll
    C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
    C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe
    C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe
    C:\Program Files\Poker.com\poker.exe
    C:\windows\system32\blank.htm


    Reboot into normal mode and turn system restore back on.


    Regards Howard :)
     
  5. JeffatTT

    JeffatTT TS Rookie Topic Starter

    Thank you Howard for the quick reply. Just completed all of your steps.

    I could not delete c:\Windows.1\system32\shdocvw.dll.. so i renamed it
    badshdocvw.bad

    However I received an error message upon reboot stating the above file could not be located and Explorer would not run.

    The computer must still think it is booting to the Windows.1 folder. I just have a blank screen. I AM able to launch the task manager but nothing else.

    what next?
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Pop in your Windows disk and do a repair as per this thread HERE.

    Regards Howard :)
     
  7. JeffatTT

    JeffatTT TS Rookie Topic Starter

    Yikes,,. I'm troubleshooting this remotely. And not sure whether the person on the other end even has the Windows CD.

    Any way around the CD.? I noticed the missing file I referred to IS in the Windows folder.. just not in the Windows.1 folder.

    What exactly would this mean? Can I get the system to boot to the correct folder?

    Jeff
     
  8. JeffatTT

    JeffatTT TS Rookie Topic Starter

    Oh yes.. could I force a system restore? would that help?
     
  9. JeffatTT

    JeffatTT TS Rookie Topic Starter

    here's an updated HJT log.

    System still chugging and seems to be pointing to the wrong windows folder. Please help.

    Jeff
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.