IadHide5.dll and other stuffs

By Kaye ยท 14 replies
Sep 6, 2009
  1. Recently, I've discovered that a virus has decided to manifest in my system. Naturally, I was worried and such, but I thought I'd be able to get rid of it; After re-enabling my registry, re-enabling my folder options, and such, I've found that there's a list of .exe's that are named similarily to system processes - Meaning some I can end when I see, and some I can't. Scanning, deleting, and changing properties hasn't done anything, because it appears to restore itself constantly. Disabling the on startup items, with CCleaner, as well as scanning/quarentining, I'll post a Hijackthis log, and I'm hoping somebody can help..

    I'm running Windows XP, if that helps.
  2. Zyldar

    Zyldar TS Rookie Posts: 34

    Please install, update, run, & post logs for Malwarebytes, & spybot s&d as well.

    You should Run the scans in Windows SAFE Mode.
    (Press the F8 key on bootup prior to the Windows Logo appearing to bring up a boot options window)
    (Up arrow to SAFE MODE and press Enter)
  3. Kaye

    Kaye TS Rookie Topic Starter

    Where would I get those programs? I read the 8 steps and didn't see them, but I may have skimmed too fast; Will I be able to post logs from safemode, or will I have to save 'em and boot up in normal mode?
  4. Zyldar

    Zyldar TS Rookie Posts: 34

    You can download Malwarebytes from:
    http://malwarebytes.org - a Download button will apear on the their home page on the left side.

    You can download Spybot s&d from:

    You can only post in SAFE Mode if you boot with the option "safe mode with networking".

    After you run and save the scans or reports, reboot the computer before trying to post. If your browser is infected, then opening it in safe mode can still re-infect your computer.

    Your hijackthis is an older version and you might want to download & use a newer version.

    Also, download & run Rootkitbuster:

    The log you posted shows multiple system files running from a TEMP folder. Hopefully running the scans in SAFE Mode will clean them.

    Please install, update, & run all of the scans in SAFE Mode and post the logs.

    Hope that helps.
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Usually the newer members have not read this, which is available right above this forum:

    Special governing rules for the Virus & Malware removal board> https://www.techspot.com/vb/topic120350.html

    This was set up because new members were having people run many different programs and it was found that there was no guidance. You will find all the links for the programs in the thread.
  6. Kaye

    Kaye TS Rookie Topic Starter

    Well, I apologize; Anyhow, here's the new log attached. I looked in the 'temp' folder, and there's still an install.exe, but everything else appears to be gone.. There is, however, a log file in the temp folder;
    The system cannot open the device or file specified.
    The system cannot open the device or file specified.
    The system cannot open the device or file specified.
    The system cannot open the device or file specified.
    The system cannot open the device or file specified.
    The system cannot open the device or file specified.
    The system cannot open the device or file specified.
    The system cannot open the device or file specified.
    The system cannot open the device or file specified.
    The system cannot open the device or file specified.
    The system cannot open the device or file specified.
    Internal Error 2755. 110, C:\Program Files\Common Files\Wise Installation Wizard\WISCDDCBBF1270346BC938BBCC81A1EEAAA_4_28_0_1010.MSI
    === Logging stopped: 9/6/2009 16:41:08 ===

    It said that. Attached is the hijackthis log.

    I'm going to restart in safe mode /again/ and run the two scanners, again, because I ran that rootkit buster and it found quite a lot of items, attaching that as well, and when I selected them, it said they'd been deleted, and to restart my CPU, which I'm doing. Be back soon with results!
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    My apology Kaye. The message was meant for Zyldar, not you. Sometimes a new member will attempt to assist someone with a malware cleaning but doesn't know about the programs that have been listed as to be run first.

    Go to Start>>Control Panel>>Add or Remove Programs and uninstall Logitech Desktop Messenger

    Why don't you just run a new HJT after the uninstall and let someone help you with that.
  8. Kaye

    Kaye TS Rookie Topic Starter

    Alright, I ran the scans and took a Hijack after getting rid of everything with both scanners, and I'll be posting a log. I then, removed my Logitech DM, even though that was installed awhile ago because of my mouse/keyboard, and I'll be posting that too, I'll call it, "AfterRemoveLog," or something.
  9. Kaye

    Kaye TS Rookie Topic Starter

    Okay, everything seems to be better, the EXE's haven't returned, nothing's going wrong.. However, if anybody might have a fix for this;
    For a while, now, whenever I open things up like Google, and I do a search, it'll have the list of results - Here's the problem. Sometimes, when I click a link, it'll redirect me to something else, and it's extremely annoying, because I'll have to copy the link and open a new tab to go where I'm trying to go. When I went to Google on Opera, it told me my computer was sending automated queries, and I'm wondering if anybody might know what's causing this? I have reinstalled my browser before, and it didn't help.
  10. Zyldar

    Zyldar TS Rookie Posts: 34

    I'm happy that your scans & computer are running better.
    Your hijackthis logs look a lot better.

    You still need to remove the following in hijackthis:
    (when running a scan, place a check next to the following items and remove them.)

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =

    Note: A proxy server is normally only used for businesses that block certain domains from being accessed. If you're not using a work computer that requires a proxy server, there should be no proxy server. If you need help changing these settings, please write back.

    O2 - BHO: (no name) - {BF56A325-23F2-42AD-F4E4-00AAC39CAA53} - (no file)

    O4 - HKUS\S-1-5-18\..\Run: [AntiSpyware Service] C:\WINDOWS\TEMP\ho472ytgiw.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AntiSpyware Service] C:\WINDOWS\TEMP\ho472ytgiw.exe (User 'Default user')

    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,77,65,62,5c,72,65,6c-,61,74,65,64,2e,68,74,6d,00 (file missing)
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,77,65,62,5c,72,65,6c-,61,74,65,64,2e,68,74,6d,00 (file missing)

    O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)

    Bobbye, I've read the 8 steps guides & rules thank you. Although I'm new to Techspot, I'm not new to programming, network administration, or troubleshooting. You need to understand that the 8 steps are not a "fix all" and each case requires different steps to resolve the issues. As other helpers have said in the past, you need to relax. I'm offering free help based on over 30 years of experience. If you're being paid to help people here, then I'll stop giving advice, otherwise, you should stay out of the way unless you have something usefull to suggest in resolving the issue. I've seen people all over the internet give bad advice, but I've also seen obscure & perfect resolutions to problems on rare or unseen message boards. If you criticise techs here, then you may be preventing a tech from reporting a correct & perfect solution to a problem. Most people who request help here also do Google, Bing, or Yahoo searches on their problems. Don't think that this is the first & only place people go for help. Everyone has a view on resolving bsod, timing, corruption, viruses, hardware, & spyware problems. This isn't meant to be an insult to you. I'm giving my time to help people for free, resolve infections that are very difficult to resolve. I'm not perfect and if I give bad advice, correct me & make comments to suggest better fixes. But don't insult me.

    (adding: I do agree with your opinion about Combofix & if you haven't mentioned hijackthis, that special care be taken when using these programs - removing or disabling critical processes can cause the operating system not to function correctly or at all.)

  11. Kaye

    Kaye TS Rookie Topic Starter

    Thanks! I just removed those from the Hijackthis scanner. I'm going to go off to bed; Have you any idea about that random queries problem I'm having, or will the proxy thing solve it? I'll only be reading your answer tomorrow, but, thanks for the help; Sleep well, everyone.
  12. Jawshh

    Jawshh TS Enthusiast Posts: 392

    Fix in Hijackthis:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION &pf=desktop

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILI ON&pf=desktop

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILI ON&pf=desktop

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILI ON&pf=desktop

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION &pf=desktop

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILI ON&pf=desktop

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILI ON&pf=desktop

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =

    I don't see anything wrong with IE, but this should reset your IE to defaults.
  13. Kaye

    Kaye TS Rookie Topic Starter

    Well, I don't even use IE - I use Firefox..

    Sometimes it'll redirect me to a page such as "bondvu.com/search.php" (DO NOT GO THERE) and it'll redirect me to a website such as (DO NOT OPEN THIS) http://clean-pc-now.biz/index.php?PHPSESSID=f70eb31b7e1d5d1d1dc22e8f663c47e9 (DO NOT OPEN THIS)
    It's one of those sites with a fake virus scan that says, "You're infected!" and such; It's REALLY annoying. This is using FireFox..

    I'm doing what I was asked in making logs from RootRepeal and RTIS; I'm wondering, there are four things showing up in the files section where it says the windows API can't see 'em, and they all contain SKYNET in the file name; Should I right click and delete them?
  14. Kaye

    Kaye TS Rookie Topic Starter

    Logs from RTIS, finishing RootRepeal now.

    RootRepeal added.
  15. Zyldar

    Zyldar TS Rookie Posts: 34

    If Rootrepeal offers you the ability to delete the 4 skynet files, then YES, please delete them. If it doesn't remove them, then follow the next steps. You should also remove the c:\windows\system32\jetebemi.dll (Trojan.Dropper/Gen-SoftDev).

    One way to fix the problem is to boot to a Recovery Console command prompt. Those skynet files probably won't be visible & won't allow you to delete them in Safe Mode although there are some tools that can schedule them to be deleted upon reboot. Your computer may offer a boot option for booting to Recovery Console. If not, then write back & I'll give you instructions.

    Another option to removing those files without Recovery Console might be to schedule them for deletion using Killbox from:

    Write down the exact file names & locations on a piece of paper to make it easier.
    After you boot to Recovery Console type: cd c:\windows\system32
    to delete the bad files 1 at a time, type: del jetebemi.dll (enter) then del skynetdltoyxyy.dll (enter)
    keep using the del command to delete the 4 files in system32..
    then type: cd drivers (enter)
    type: del skynettnlhbgil.sys

    type exit to reboot.


    If you prefer to use a tool like Killbox rather than boot to Recovery Console, then it should work okay.

    Attach new logs after you remove skynet.

    Hope that helps.
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...