IadHide5.dll and other stuffs

[Kaye]

Recently, I've discovered that a virus has decided to manifest in my system. Naturally, I was worried and such, but I thought I'd be able to get rid of it; After re-enabling my registry, re-enabling my folder options, and such, I've found that there's a list of .exe's that are named similarily to system processes - Meaning some I can end when I see, and some I can't. Scanning, deleting, and changing properties hasn't done anything, because it appears to restore itself constantly. Disabling the on startup items, with CCleaner, as well as scanning/quarentining, I'll post a Hijackthis log, and I'm hoping somebody can help..

~Edit
I'm running Windows XP, if that helps.

 

[Zyldar]

Please install, update, run, & post logs for Malwarebytes, & spybot s&d as well.

You should Run the scans in Windows SAFE Mode.
(Press the F8 key on bootup prior to the Windows Logo appearing to bring up a boot options window)
(Up arrow to SAFE MODE and press Enter)

 

[Kaye]

Where would I get those programs? I read the 8 steps and didn't see them, but I may have skimmed too fast; Will I be able to post logs from safemode, or will I have to save 'em and boot up in normal mode?

 

[Zyldar]

You can download Malwarebytes from:
http://malwarebytes.org - a Download button will apear on the their home page on the left side.

You can download Spybot s&d from:
http://www.safer-networking.org/en/mirrors/index.html

You can only post in SAFE Mode if you boot with the option "safe mode with networking".

After you run and save the scans or reports, reboot the computer before trying to post. If your browser is infected, then opening it in safe mode can still re-infect your computer.

Your hijackthis is an older version and you might want to download & use a newer version.
http://free.antivirus.com/hijackthis/

Also, download & run Rootkitbuster:
http://free.antivirus.com/rootkit-buster/

The log you posted shows multiple system files running from a TEMP folder. Hopefully running the scans in SAFE Mode will clean them.

Please install, update, & run all of the scans in SAFE Mode and post the logs.

Hope that helps.
Zyldar

 

[Bobbye]

Usually the newer members have not read this, which is available right above this forum:

Special governing rules for the Virus & Malware removal board> https://www.techspot.com/vb/topic120350.html

Because of the complexity and variety of issues posted by users, we have found the necessity of creating a guide. Read: "8-step Viruses/Spyware/Malware Preliminary Removal Instructions".

2) We request ALL members that want Virus/Malware help to follow these simple steps which will ease the transition from coming to help to actually receiving it.
For other type of support, please choose the appropriate forum (e.g. Our BSOD Help & Support forum is another section dedicated to member support).

This was set up because new members were having people run many different programs and it was found that there was no guidance. You will find all the links for the programs in the thread.

 

[Kaye]

Well, I apologize; Anyhow, here's the new log attached. I looked in the 'temp' folder, and there's still an install.exe, but everything else appears to be gone.. There is, however, a log file in the temp folder;
The system cannot open the device or file specified.
The system cannot open the device or file specified.
The system cannot open the device or file specified.
The system cannot open the device or file specified.
The system cannot open the device or file specified.
The system cannot open the device or file specified.
The system cannot open the device or file specified.
The system cannot open the device or file specified.
The system cannot open the device or file specified.
The system cannot open the device or file specified.
The system cannot open the device or file specified.
Internal Error 2755. 110, C:\Program Files\Common Files\Wise Installation Wizard\WISCDDCBBF1270346BC938BBCC81A1EEAAA_4_28_0_1010.MSI
=== Logging stopped: 9/6/2009 16:41:08 ===

It said that. Attached is the hijackthis log.

Edit~
I'm going to restart in safe mode /again/ and run the two scanners, again, because I ran that rootkit buster and it found quite a lot of items, attaching that as well, and when I selected them, it said they'd been deleted, and to restart my CPU, which I'm doing. Be back soon with results!

 

[Bobbye]

My apology Kaye. The message was meant for Zyldar, not you. Sometimes a new member will attempt to assist someone with a malware cleaning but doesn't know about the programs that have been listed as to be run first.

Go to Start>>Control Panel>>Add or Remove Programs and uninstall Logitech Desktop Messenger

Why don't you just run a new HJT after the uninstall and let someone help you with that.

 

[Kaye]

Alright, I ran the scans and took a Hijack after getting rid of everything with both scanners, and I'll be posting a log. I then, removed my Logitech DM, even though that was installed awhile ago because of my mouse/keyboard, and I'll be posting that too, I'll call it, "AfterRemoveLog," or something.

 

[Kaye]

Okay, everything seems to be better, the EXE's haven't returned, nothing's going wrong.. However, if anybody might have a fix for this;
For a while, now, whenever I open things up like Google, and I do a search, it'll have the list of results - Here's the problem. Sometimes, when I click a link, it'll redirect me to something else, and it's extremely annoying, because I'll have to copy the link and open a new tab to go where I'm trying to go. When I went to Google on Opera, it told me my computer was sending automated queries, and I'm wondering if anybody might know what's causing this? I have reinstalled my browser before, and it didn't help.

 

[Zyldar]

I'm happy that your scans & computer are running better.
Your hijackthis logs look a lot better.

You still need to remove the following in hijackthis:
(when running a scan, place a check next to the following items and remove them.)

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 41.210.252.11:8080

Note: A proxy server is normally only used for businesses that block certain domains from being accessed. If you're not using a work computer that requires a proxy server, there should be no proxy server. If you need help changing these settings, please write back.

O2 - BHO: (no name) - {BF56A325-23F2-42AD-F4E4-00AAC39CAA53} - (no file)

O4 - HKUS\S-1-5-18\..\Run: [AntiSpyware Service] C:\WINDOWS\TEMP\ho472ytgiw.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AntiSpyware Service] C:\WINDOWS\TEMP\ho472ytgiw.exe (User 'Default user')

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,77,65,62,5c,72,65,6c-,61,74,65,64,2e,68,74,6d,00 (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,77,65,62,5c,72,65,6c-,61,74,65,64,2e,68,74,6d,00 (file missing)

O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)

Bobbye, I've read the 8 steps guides & rules thank you. Although I'm new to Techspot, I'm not new to programming, network administration, or troubleshooting. You need to understand that the 8 steps are not a "fix all" and each case requires different steps to resolve the issues. As other helpers have said in the past, you need to relax. I'm offering free help based on over 30 years of experience. If you're being paid to help people here, then I'll stop giving advice, otherwise, you should stay out of the way unless you have something usefull to suggest in resolving the issue. I've seen people all over the internet give bad advice, but I've also seen obscure & perfect resolutions to problems on rare or unseen message boards. If you criticise techs here, then you may be preventing a tech from reporting a correct & perfect solution to a problem. Most people who request help here also do Google, Bing, or Yahoo searches on their problems. Don't think that this is the first & only place people go for help. Everyone has a view on resolving bsod, timing, corruption, viruses, hardware, & spyware problems. This isn't meant to be an insult to you. I'm giving my time to help people for free, resolve infections that are very difficult to resolve. I'm not perfect and if I give bad advice, correct me & make comments to suggest better fixes. But don't insult me.

(adding: I do agree with your opinion about Combofix & if you haven't mentioned hijackthis, that special care be taken when using these programs - removing or disabling critical processes can cause the operating system not to function correctly or at all.)

Zyldar

 

[Kaye]

I'm happy that your scans & computer are running better.
Your hijackthis logs look a lot better.

You still need to remove the following in hijackthis:
(when running a scan, place a check next to the following items and remove them.)

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 41.210.252.11:8080

Note: A proxy server is normally only used for businesses that block certain domains from being accessed. If you're not using a work computer that requires a proxy server, there should be no proxy server. If you need help changing these settings, please write back.

O2 - BHO: (no name) - {BF56A325-23F2-42AD-F4E4-00AAC39CAA53} - (no file)

O4 - HKUS\S-1-5-18\..\Run: [AntiSpyware Service] C:\WINDOWS\TEMP\ho472ytgiw.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AntiSpyware Service] C:\WINDOWS\TEMP\ho472ytgiw.exe (User 'Default user')

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,77,65,62,5c,72,65,6c-,61,74,65,64,2e,68,74,6d,00 (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,77,65,62,5c,72,65,6c-,61,74,65,64,2e,68,74,6d,00 (file missing)

O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)

Bobbye, I've read the 8 steps guides & rules thank you. Although I'm new to Techspot, I'm not new to programming, network administration, or troubleshooting. You need to understand that the 8 steps are not a "fix all" and each case requires different steps to resolve the issues. As other helpers have said in the past, you need to relax. I'm offering free help based on over 30 years of experience. If you're being paid to help people here, then I'll stop giving advice, otherwise, you should stay out of the way unless you have something usefull to suggest in resolving the issue. I've seen people all over the internet give bad advice, but I've also seen obscure & perfect resolutions to problems on rare or unseen message boards. If you criticise techs here, then you may be preventing a tech from reporting a correct & perfect solution to a problem. Most people who request help here also do Google, Bing, or Yahoo searches on their problems. Don't think that this is the first & only place people go for help. Everyone has a view on resolving bsod, timing, corruption, viruses, hardware, & spyware problems. This isn't meant to be an insult to you. I'm giving my time to help people for free, resolve infections that are very difficult to resolve. I'm not perfect and if I give bad advice, correct me & make comments to suggest better fixes. But don't insult me.

Zyldar

Thanks! I just removed those from the Hijackthis scanner. I'm going to go off to bed; Have you any idea about that random queries problem I'm having, or will the proxy thing solve it? I'll only be reading your answer tomorrow, but, thanks for the help; Sleep well, everyone.

 

[Jawshh]

Fix in Hijackthis:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION &pf=desktop

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILI ON&pf=desktop

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILI ON&pf=desktop

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILI ON&pf=desktop

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION &pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILI ON&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILI ON&pf=desktop

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 41.210.252.11:8080

I don't see anything wrong with IE, but this should reset your IE to defaults.

 

[Kaye]

Well, I don't even use IE - I use Firefox..

Edit~
Sometimes it'll redirect me to a page such as "bondvu.com/search.php" (DO NOT GO THERE) and it'll redirect me to a website such as (DO NOT OPEN THIS) http://clean-pc-now.biz/index.php?PHPSESSID=f70eb31b7e1d5d1d1dc22e8f663c47e9 (DO NOT OPEN THIS)
It's one of those sites with a fake virus scan that says, "You're infected!" and such; It's REALLY annoying. This is using FireFox..

~Edit
I'm doing what I was asked in making logs from RootRepeal and RTIS; I'm wondering, there are four things showing up in the files section where it says the windows API can't see 'em, and they all contain SKYNET in the file name; Should I right click and delete them?

 

[Kaye]

~Addon
Logs from RTIS, finishing RootRepeal now.


~Edit
RootRepeal added.

 

[Zyldar]

If Rootrepeal offers you the ability to delete the 4 skynet files, then YES, please delete them. If it doesn't remove them, then follow the next steps. You should also remove the c:\windows\system32\jetebemi.dll (Trojan.Dropper/Gen-SoftDev).

One way to fix the problem is to boot to a Recovery Console command prompt. Those skynet files probably won't be visible & won't allow you to delete them in Safe Mode although there are some tools that can schedule them to be deleted upon reboot. Your computer may offer a boot option for booting to Recovery Console. If not, then write back & I'll give you instructions.

Another option to removing those files without Recovery Console might be to schedule them for deletion using Killbox from:
http://killbox.net/

Write down the exact file names & locations on a piece of paper to make it easier.
After you boot to Recovery Console type: cd c:\windows\system32
to delete the bad files 1 at a time, type: del jetebemi.dll (enter) then del skynetdltoyxyy.dll (enter)
keep using the del command to delete the 4 files in system32..
then type: cd drivers (enter)
type: del skynettnlhbgil.sys

type exit to reboot.

C:\WINDOWS\system32\jetebemi.dll
C:\WINDOWS\system32\drivers\SKYNETtnlhbgil.sys
C:\WINDOWS\system32\SKYNETdltoyxyy.dll
C:\WINDOWS\system32\SKYNETkctvppib.dll
C:\WINDOWS\system32\SKYNETkvvimxen.dat

If you prefer to use a tool like Killbox rather than boot to Recovery Console, then it should work okay.

Attach new logs after you remove skynet.

Hope that helps.
Zyldar