Help! *HT Log Included*

Computing.Net > Forums > Security and Virus > Help! *HT Log Included*

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to get for your free account now!

Help! HT Log Included

Name: Alassinsane
Date: November 30, 2003 at 13:08:36 Pacific
OS: Windows ME
CPU/Ram: AMD Athlon Processor 128.

Comment:

Hi. I'm new to this site. My apologies if I am requesting information that has already been posted.
I'm having a problem with my computer that I hope someone can help me out with. Several days ago I managed to get a trojan virus. BELT.exe. AVG kept telling me I had Downloader. Stubby.A and bringing up several corrupt files for me to get rid of like C:\_RESTORE\TEMP\A0007712.CPY.
I was able to delete those files, and I thought, clean up my computer. Now when I run AVG it doesn't identify any infected files. However, I'm still getting numerous pop-up ads instructing me to install programs when I simply turn on my computer and/or surf the web. And I'm still having a lot of difficulties shutting down my computer.
I run ad-aware, Spybot SD, AVG, and a Trojan Remover program I downloaded on a daily basis and none of them show any existing infected files....yet the problems persist. Any ideas about what I can do to correct these problems?

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.exe
C:\WINDOWS\SYSTEM\MSTASK.exe
C:\WINDOWS\EXPLORER.exe
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.exe
C:\WINDOWS\MWSVM.exe
C:\WINDOWS\TASKMON.exe
C:\WINDOWS\SYSTEM\SYSTRAY.exe
C:\WINDOWS\SYSTEM\RESTORE\STMGR.exe
C:\WINDOWS\SYSTEM\WMIEXE.exe
C:\WINDOWS\SYSTEM\MBHRO.exe
C:\WINDOWS\SYSTEM\MBHRO.exe
C:\WINDOWS\SYSTEM\TAPISRV.exe
C:\WINDOWS\SYSTEM\RNAAPP.exe
C:\PROGRAM FILES\AT&T\WNCLIENT\PROGRAMS\WNCONNECT.exe
C:\PROGRAM FILES\AT&T\WNCLIENT\PROGRAMS\WNCSMSERVER.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.exe
C:\WINDOWS\SYSTEM\DDHELP.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.exe
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.exe
C:\WINDOWS\SYSTEM\SPOOL32.exe
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.exe
C:\WINDOWS\SYSTEM\PSTORES.exe
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about :blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = nov
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.seekseek.com/quicksearch...p;version_id=18
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchwww.com/search.cgi?s=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.searchalot.com/
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.google.com"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\yg4s4hwn.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\yg4s4hwn.slt\prefs.js)
O2 - BHO: DefaultSearch.SeekSeek - {5074851C-F67A-488E-A9C9-C244573F4068} - C:\WINDOWS\IEASST.DLL
O2 - BHO: (no name) - {71EA4DB9-C913-429C-BD02-A7B86C0B2323} - C:\WINDOWS\SYSTEM\MSRESCR40.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [ftxhgygn] C:\WINDOWS\SYSTEM\ftxhgygn.exe
O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe
O4 - HKLM\..\Run: [absr] C:\WINDOWS\mwsvm.exe
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] c:\windows\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [3DE96@63H83WH4] C:\WINDOWS\SYSTEM\IovoDw.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra 'Tools' menuitem: Turbo Download (HKLM)
O12 - Plugin for .pdf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\nppdf32.dll
O12 - Plugin for .doc: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPDOC.DLL
O14 - IERESET.INF: START_PAGE_URL=
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.c...7948.5995601852
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/...ive/HS_live.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://otx.ifilm.com/OTXMedia/OTXMedia.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/1294afff4ba92f...ip/RdxIE601.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer Start) - http://imgfarm.com/images/nocache/f...etup1.0.0.5.cab
O16 - DPF: {086A694F-91FB-4068-B44C-124FB69BF05D} - http://www.searchwww.com/search.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/...director/sw.cab

Report Offensive Message For Removal

Sponsored Link

Ads by Google

Response Number 1

Name: Abnormal
Date: November 30, 2003 at 13:43:20 Pacific

Reply:

Please follow these steps, in exactly that order:
Run this uninstaller:
http://home01.wxs.nl/~kleyn080/uninst.exe
When done, use the following tool to delete the files themselves:
Download Drpepertobackup.exe, save to disk, and doubleclick the file; it will self extract to c:\.
Find the "C:\drpeper\Find backup and Delete Peper files.vbs" file and double click it.
http://www.mjc1.com/files/mo/drpepertobackup.exe

On the first prompt, copy and paste: MBHRO.EXE .... and hit ok.
On the second, paste: IovoDw.exe and hit ok again.

It will find all the files, delete them and will make backups in the same folder.
It'll open a text file (Peper.txt) with the list of all files deleted.
Post your new log when done.

Report Offensive Follow Up For Removal

Response Number 2

Name: Alassinsane
Date: November 30, 2003 at 14:01:51 Pacific

Reply:

Hi Abnormal,
Thank you kindly for your help. Afraid I am encountering a problem. In following your instructions I can only get as far as the drpepertobackup program and when I try to double click it a message comes up "Find backup and Delete Peper files.vbs...already exists". I am not receiving a prompt to cut and paste the files that you suggested. Any ideas why this isn't working?

Report Offensive Follow Up For Removal

Response Number 3

Name: Tom41
Date: November 30, 2003 at 14:26:31 Pacific

Reply:

It sounds like you are clicking on the 'drpepertobackup.exe' and not the 'Find backup and Delete Peper files.vbs' file.
Click My Computer > 'C' drive. Inside will be the folder 'drpeper', open this folder and inside will be 'Find backup and Delete Peper files.vbs'.

Report Offensive Follow Up For Removal

Response Number 4

Name: Alassinsane
Date: November 30, 2003 at 14:52:39 Pacific

Reply:

Thank you VERY much, Tom. You're right. I was clicking the exe instead of the backup and delete file. Once I followed your instructions I was able to do the cut and paste that Abnormal suggested.
Don't know if everything is in order now but I am including my new HT log. I hope my computer is FINALLY virus free.
Thanks again! This site has been very helpful. :-)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.exe
C:\WINDOWS\SYSTEM\MSTASK.exe
C:\WINDOWS\EXPLORER.exe
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.exe
C:\WINDOWS\TASKMON.exe
C:\WINDOWS\SYSTEM\SYSTRAY.exe
C:\WINDOWS\SYSTEM\WMIEXE.exe
C:\WINDOWS\SYSTEM\RESTORE\STMGR.exe
C:\PROGRAM FILES\AT&T\WNCLIENT\PROGRAMS\WNCONNECT.exe
C:\PROGRAM FILES\AT&T\WNCLIENT\PROGRAMS\WNCSMSERVER.exe
C:\WINDOWS\SYSTEM\TAPISRV.exe
C:\WINDOWS\SYSTEM\RNAAPP.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.exe
C:\WINDOWS\NOTEPAD.exe
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = nov
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchwww.com/search.cgi?s=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.searchalot.com/
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.google.com"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\yg4s4hwn.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\yg4s4hwn.slt\prefs.js)
O2 - BHO: (no name) - {71EA4DB9-C913-429C-BD02-A7B86C0B2323} - C:\WINDOWS\SYSTEM\MSRESCR40.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [ftxhgygn] C:\WINDOWS\SYSTEM\ftxhgygn.exe
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] c:\windows\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra 'Tools' menuitem: Turbo Download (HKLM)
O12 - Plugin for .pdf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\nppdf32.dll
O12 - Plugin for .doc: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPDOC.DLL
O14 - IERESET.INF: START_PAGE_URL=
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37948.5995601852
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/InstallFiles/SIFiles/lpxlive/HS_live.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://otx.ifilm.com/OTXMedia/OTXMedia.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/1294afff4ba92f0f1423/netzip/RdxIE601.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer Start) - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.5.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

Report Offensive Follow Up For Removal

Response Number 5

Name: Abnormal
Date: November 30, 2003 at 14:58:23 Pacific

Reply:

Thanks Tom for jumping in, getting lost on
another one downstairs, post 7642.
Can you help with the leftovers?

Report Offensive Follow Up For Removal

windows 2000\help\forgot log on password How to read HT logs ht log	help computer logs on then off again can't use log file "ht.log" help cannot log on domain is not available
See More

Response Number 6

Name: Tom41
Date: November 30, 2003 at 15:00:13 Pacific

Reply:

Run HijackThis again and place a check in the box next to the following items.
Next, close all browser Windows, and have HT 'fix checked'.
You Must restart your computer when you're done.
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = nov
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchwww.com/search.cgi?s=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.searchalot.com/
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {71EA4DB9-C913-429C-BD02-A7B86C0B2323} - C:\WINDOWS\SYSTEM\MSRESCR40.DLL
O4 - HKLM\..\Run: [ftxhgygn] C:\WINDOWS\SYSTEM\ftxhgygn.exe
After restarting delete C:\WINDOWS\SYSTEM\ftxhgygn.exe

Report Offensive Follow Up For Removal

Response Number 7

Name: Alassinsane
Date: November 30, 2003 at 15:15:15 Pacific

Reply:

Done! Thanks again.

Report Offensive Follow Up For Removal

Response Number 8

Name: Tom41
Date: November 30, 2003 at 15:21:39 Pacific

Reply:

Abnormal, Sure...

Report Offensive Follow Up For Removal

Help me to kill a trojan...

Traffic freezes

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: Help! *HT Log Included*

HT log--help with hijack

Summary

www.computing.net/answers/security/ht-loghelp-with-hijack/7989.html

Can sum1 help me w\ HT Log?

Summary

www.computing.net/answers/security/can-sum1-help-me-w-ht-log/13210.html

apropos/peper maybe? HT log

Summary

www.computing.net/answers/security/apropospeper-maybe-ht-log/9643.html

From the Geek Dictionary
pirates - Considered by many to be better than ninjas.

Ask a Question!

Weekly Poll
Do you think suing spammers will make any difference?

Poll Finishes In 7 Days.
Discuss in The Lounge
Poll History

Recent Posts
PC rebooting randomly

Fitting a new harddrive phoenix trustedcore

how to write client side script?????

Internet Gateway

Windows 7 RTM set to be released on July 13.

All Awaiting Reply

Tom's News
A Single Text Message Can Cripple Your iPhone

Apple Shoots Down Obama's Hope

Japan Thinking of Making Quiet Hybrids Noisy

iPhone 3GS Jailbroken, Unlocked

Man Shoots Up Apple Store

More Tom's Guide News

Tom's Games
Redneck Olympics

Tasty Planet

More Tom's Games

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE