Just Making Sure....

Discussion in 'adware, spyware & hijack cleaning' started by Lintrod, Jun 15, 2004.

Thread Status:
Not open for further replies.
  1. Lintrod

    Lintrod Registered Member

    Joined:
    Jun 15, 2004
    Posts:
    8
    I had some adware on my machine recently, and like the moron I am, started messing around with HighJackThis, trying to follow examples from posts with simlar problems. I think I got it, but I'd sleep alittle sounder if somebody could take a look.

    Heres my logfile

    Logfile of HijackThis v1.97.7
    Scan saved at 11:21:22 PM, on 14/06/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    c:\quorum\pud\bin\filechangemonitor.exe
    I:\FileChecker\FileChecker\filechecker.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\sdkuw.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\system32\mfcej32.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    I:\Spywareguard\SpywareGuard\sgmain.exe
    I:\Spywareguard\SpywareGuard\sgbhp.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\msiexec.exe
    C:\Documents and Settings\Ian.FAMILYPC\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
    C:\Program Files\Messenger\msmsgs.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.google.ca
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {D33E8457-1C8B-99A8-FC93-DCDA4844B2A5} - C:\WINDOWS\system32\sdkwf.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [mfcej32.exe] C:\WINDOWS\system32\mfcej32.exe
    O4 - HKCU\..\Run: [Steam] I:\Program Files\Steam\Steam.exe -silent
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - Startup: SpywareGuard.lnk = I:\Spywareguard\SpywareGuard\sgmain.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab27571.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://pd.talisman-energy.com/nfuse/Citrix/ICAWEB/en/ica32/wficac.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://192.168.0.104/tsweb/msrdp.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37892.6609953704
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab

    Thanks for your Help
     
  2. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    Before you start, please unzip HijackThis to it's own folder somewhere.
    The program will make backups in the folder it's run from.
    These easily get lost in a Temp folder and are an annoyance on the desktop.


    Use Taskmanager (Ctrl-Alt-Del) to end these running processes if you can
    (or use Process Explorer)
    C:\WINDOWS\system32\sdkuw.exe
    C:\WINDOWS\system32\mfcej32.exe



    Run HijackThis again, push Scan and place a check mark next to the following items using your mouse.
    Next, close all browser Windows, and push the 'Fix checked' button in HijackThis
    O2 - BHO: (no name) - {D33E8457-1C8B-99A8-FC93-DCDA4844B2A5} - C:\WINDOWS\system32\sdkwf.dll
    O4 - HKLM\..\Run: [mfcej32.exe] C:\WINDOWS\system32\mfcej32.exe


    -----------
    Download the latest version of Ad-Aware at http://www.lavasoftusa.com/support/download/
    After installing AAW, and before running the program, you NEED to FIRST update the reference file following these instructions.
    Now do the following:
    - Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
    check: "Unload recognized processes during scanning."
    - Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
    Check: "Let Windows remove files in use after reboot."

    Press "Scan Now"
    - Check option "Use Custom scanning options"
    - Check option "Activate In-Depth Scan"
    - Press "Select drives\folders to scan"
    - Select the active partition which is usually C:

    Now press "Next" to let Ad-aware scan your drives...
    It will find a number of "bad" files and registry keys.
    Right-click in that pane and choose "select all"

    Now press "Next" again.
    It will ask you whether you'd like to remove all checked items. Click OK.

    Finally, close Ad-Aware, and reboot.
    ------------

    Delete these files if adaware didn't
    C:\WINDOWS\system32\sdkuw.exe
    C:\WINDOWS\system32\mfcej32.exe


    --------
    I do not understand this one
    O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://192.168.0.104/tsweb/msrdp.cab
    That should be a local address (IANA black hole) -- are you on a local network with a terminal services server ?
     
  3. Lintrod

    Lintrod Registered Member

    Joined:
    Jun 15, 2004
    Posts:
    8
    are you on a local network with a terminal services server ?

    Not quite sure what that means, but I think I am....
     
  4. Lintrod

    Lintrod Registered Member

    Joined:
    Jun 15, 2004
    Posts:
    8
    I dont know if this is related or not, but everytime I open Internet Explorer, or anything that connects to the internet, It wants me to install "Microsoft Office XP Professional with Frontpage", and asks me to insert the CD. Why does this happen, and how do I get rid of it?
     
Thread Status:
Not open for further replies.