[solotekk]

This message is for Evilfantasy.


Hello my friend. Hope you are having a wonderful day. I need your assistance with a problem that i have never encountered before with a hjt installation. Can you help?

I was installing it because i noticed a browser hijack or something of the sorts occuring on one of my clients machines. For example: The whole top half of Internet Explorer looks graphically fishy(phishy) to me. So i checked out the graphics properties on XP - everything(windows, text) is default size, shape, etc. Hmmmm, I thought. So then I installed IE 7 and removed a bunch of stuff in add/rem programs list....removed the old java and did an offline install of the latest java. did a reboot.....connected to the internet...good ip address and all that jazz... can't google.All my settings are correct, because i checked them against my laptop (that does go to google) all the same settings are identical. but then I noticed that IE 7 took on the same graphic morphism fishy stuff at the top.....when i say that,, i mean that the top blue bar is bigger than normal and the minimize, max, and close boxes are huge! on the second line, the status bar is bigger....the backward and forward buttons are larger than normal.

So in my efforts not to get frustrated, i proceeded to install hjt, and the install went fine up until right after i clicked the "do a system scan and save log file" button. I got an error i've never seen before, so i did a print screen and tried attaching it, but the file is too big. I am sending it to you via email. Hope you can make some sense out of it. I have a feeling it's related to the graphic fishy stuff going on in IE.

Thanks a bunch my friend,
Solotekk

[evilfantasy]

Did you rename the Hijackthis.exe to something different?

[solotekk]

ok, i downloaded the latest version 2.0.2 from filehippo.com. the install was successful. attached is a copy of the hjt log. maybe my other copy of hjt is corrupted or something. i checked the version and it says 2.0.2.
Hmmmmm.....

Thanks,
Solotekk

[solotekk]

just for security practices...i renamed it "Prada"
Here is the new log file after renaming it prada.

[solotekk]

oops, here is the attachment


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:25:37 PM, on 4/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - c:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
--
End of file - 6360 bytes

[evilfantasy]

Thats a Windows error so it could have happened with any number of programs. As to why it happened I'm not sure. Error # 5 can sometimes be fixed by downloading the latest Visual Basic Run Time Environment. You may want to go to http://www.update.microsoft.com to be sure everything is current. I'm also concerned that there may be more going on then what Hijackthis shows so you should to run another scan to have a better look.

Also there is a newer version of Java out, Java Runtime Environment (JRE) 6 Update 6.

• Go to http://java.sun.com/javase/downloads/index.jsp
• On the Sun Java page scroll to Java Runtime Environment (JRE) 6 Update 6

----------

Open Hijackthis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

• O4 - Startup: PowerReg Scheduler V3.exe

Important: Close all windows except for Hijackthis and then click Fix checked.

Exit Hijackthis.

----------

Download SDFix.exe and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following:

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.
• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard).
• Finally add the contents of the Report.txt in your next post along with a new Hijackthis scan.

You can just copy and paste the logs and save a little time. The should all easily fit into one post.

[solotekk]

Thats a Windows error so it could have happened with any number of programs. As to why it happened I'm not sure. Error # 5 can sometimes be fixed by downloading the latest Visual Basic Run Time Environment. You may want to go to http://www.update.microsoft.com to be sure everything is current. I'm also concerned that there may be more going on then what Hijackthis shows so you should to run another scan to have a better look.


I can get connected to the internet, but when i do a windows update, it kicks back with a fake looking page similar to the page that comes up when you can't connect, and you have the option to diagnose the connection.....well, this fancy fake page doesn't include that option.......therefore i can't surf or download anything....but i am connected to the internet....


I am running the SDFix right now....

[solotekk]

here is the log from SDFix.

[evilfantasy]

Hmmm.

Do you have an XP CD?

If so, place it in your CD ROM drive and follow the instructions below:

• Click on Start > Run and type sfc /scannow then press Enter (note the space between scf and /scannow)
  • Let this run undisturbed until the window with the blue progress bar goes away

SFC - Which stands for System File Checker, retrieves the correct version of the file from %Systemroot%\System32\Dllcache or the Windows installation source files, and then replaces the incorrect file.

If you want to see what was replaced, right-click My Computer and click on Manage.
In the new window that appears, expand the Event Viewer (by clicking on the + symbol next to it) and then click on System.

[solotekk]

i have a few XP cds. but this OS is Media Center and unfortunately I do not have that CD.

Can I use an XP Home SP1 cd to try?

[evilfantasy]

No I don't think that would work. Try this.

1. Download IEFix.zip and run it.
2. Click the Apply button.
3. You'll be prompted for the Operating System CD or the Service Pack Files location.
4. Once finished Restart Windows.

If you're using Windows XP, insert the Operating System CD. For OEM systems, point to the Operating System source path when prompted. If you've applied a Service Pack separately, you need to insert the Slipstreamed Operating System CD (if you have one) or point the installer to the ServicePack source path when prompted (see example below). Mention the path as "C:\Windows\ServicePackFiles\i386" or "C:\Windows\ServicePackFiles"


If you don't have the Windows installation CD, and if the installation source files are not present in the hard disk, you may click Cancel when you see a dialog similar to the example below. IEFix will continue with DLL registration part.

[solotekk]

IEFix didn't work. Remember, this is a Media Center Edition box. IEFix requires XP SP2 files/cd for the program to work. Plus, I had to revert back to IE6 because the program is not compatible with IE7.

I ran the program anyway just for laughs and giggles, and i received an internet search page error pop up window.


I took a screenshot of it.

I'll send it to your email.

Any suggestions?
thx

[evilfantasy]

Lets try one more scan to be thorough then move on to other attempts.

[solotekk]

i decided to try a2 free 3.5. I am running a scan right now.It's already found a few low risk threats. What other scan would you like me to run?

[evilfantasy]

Be sure to save and then post the log from aSquared please.

When the scan completes.

**IMPORTANT: Before doing anything else, first click on Save Report and save the report to the Desktop This will put a log on the desktop named a2scan_######