Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT - arrina kiss


  • Please log in to reply
5 replies to this topic

#1 arrina_kiss

arrina_kiss

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:53 PM

Posted 16 February 2005 - 06:00 PM

Ok...I ran the HJT, and here is the log.....

Logfile of HijackThis v1.99.0
Scan saved at 5:37:15 PM, on 2/16/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\pctspk.exe
C:\windows\system32\sjjlth.exe
C:\Program Files\mail.com\mcalert.exe
C:\Documents and Settings\VAN\Application Data\MyTraveler\MyTraveler.exe
C:\windows\system32\packager.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\VAN\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [sjjlth] c:\windows\system32\sjjlth.exe
O4 - HKCU\..\Run: [Mail.com] C:\Program Files\mail.com\mcalert.exe -auto
O4 - HKCU\..\Run: [MyTraveler] C:\Documents and Settings\VAN\Application Data\MyTraveler\MyTraveler.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\spysub.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F24161F0-CB66-4017-A256-B8E72E545570}: NameServer = 207.107.254.9 204.50.251.17
O23 - Service: PCTEL Speaker Phone - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe

If I missedanything or you need more info.....let me know.

Arrina

BC AdBot (Login to Remove)

 


#2 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:03:53 PM

Posted 16 February 2005 - 10:24 PM

I'll check your log, arrina
and get back with a list to do
which will be posted here asap. :thumbsup:
patiently patrolling, plenty of persisant pests n' problems ...

#3 arrina_kiss

arrina_kiss
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:53 PM

Posted 17 February 2005 - 03:01 AM

Thank you very much phawgg, your help is much appreciated :thumbsup:

Arrina

#4 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:03:53 PM

Posted 18 February 2005 - 03:04 AM

arrina, I am not certain two programs you have installed, Mail.com & MyTraveler, are free of malware.
They probably are, and probably are not involved in your present problems, but I am not positive of it.

Other files are definately problems, so we will attempt to delete them first.

Please perform the steps in exact order for best results.
Read through them carefully first to avoid confusion.

Print out, Copy/paste these instructions to a notepad/wordpad
or choose file-->save page as: HJT instructions.

Click Start-->control panel-->administrative tools-->services.
Look for a service called ZESOFT .
Double click on the that service
and click stop and then set the startup to disabled.

Press control-alt-delete to get into the task manager,
or rightclick in the taskbar-->choose task manager
and end the follow processes (if they are running):
zeta.exe
packager.exe


Set your PC to: show hidden files. Additional information here.

Open your C:\HJT folder and double-click the icon.
Close everything except HijackThis, nothing else on your desktop.

Run Hijackthis:
click Scan, and put a checkmark next to each of the following objects:

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O4 - HKLM\..\Run: [sjjlth] c:\windows\system32\sjjlth.exe
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe

Click the Fix button, when you're sure that files marked for deletion are correct.

Reboot into Safe Mode by tapping F8 until
the DOS screen appears. press "Yes". Use the up arrow to choose safe mode. Hit enter. "OK" the choice.


Search for, locate and delete files or folders
To find them use: Start-->Search-->select "all files & folders"-->select "more advanced options"-->
check search "system folders", "hidden files & folders" & "sub-folders".
You may also navigate to the appropriate folder, right-click-->delete individual files.
(They may not exist, the previous steps may have eliminated them. We're double-checking some of these)
Do not delete main folders like C:\WINDOWS or C:\Program Files
.

Delete manually:

C:\WINDOWS\BTGrab.dll
C:\WINDOWS\nem220.dll
C:\WINDOWS\zeta.exe
C:\WINDOWS\system32\sjjlth.exe

Delete Temp Files
To clean out your temp files use:
Start-->Run-->type in: %temp% and press the ok button.
This should open up the temp directory that your machine uses.
Please delete all files and folders found in the temp folder.
If you get an error when deleting a file, skip that file and delete all the others.
Doing this in Safe Mode you should be able to delete all the files.


Reboot your computer to go back to normal mode.

Delete Temporary Internet Files use:
Start Button-->Internet Explorer-->Tools-->Internet Options-->General tab-->Delete Files button
Put a checkmark in Delete offline content.
Press the OK button. This may take quite a while, but when it is done your Temporary Internet Files will be deleted.


Empty the recycle bin.

Run HijackThis again and post the new log as a reply to this post.
(Include comments regarding any problems you might have had,
and let us know if its working better. Some additional options may exist)

patiently patrolling, plenty of persisant pests n' problems ...

#5 arrina_kiss

arrina_kiss
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:53 PM

Posted 21 February 2005 - 10:06 AM

Hello Phawgg

The My Traveler & mail.com are both work related....the traveller is a memory stick & the mail.com is for the business mail.


I followed your instructions & hope I did not miss anything...here is the latest HJT log...


Logfile of HijackThis v1.99.0
Scan saved at 9:50:37 AM, on 2/21/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\mail.com\mcalert.exe
C:\Documents and Settings\VAN\Application Data\MyTraveler\MyTraveler.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\Documents and Settings\VAN\Desktop\Spyware stuff & info\Hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKCU\..\Run: [Mail.com] C:\Program Files\mail.com\mcalert.exe -auto
O4 - HKCU\..\Run: [MyTraveler] C:\Documents and Settings\VAN\Application Data\MyTraveler\MyTraveler.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\spysub.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O23 - Service: PCTEL Speaker Phone - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

I hope I did not miss anything....lol


Let me know if I did

Thank you again for your help
Arrina :thumbsup:

#6 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:03:53 PM

Posted 21 February 2005 - 03:15 PM

arrina we are close to finishing.
Thank you for clearing up my
questions. :thumbsup:


Set your PC to:
show hidden files.
Additional information here.

Open your C:\HJT folder and double-click the icon.
Close everything except HijackThis, nothing else on your desktop.

Run Hijackthis:
click Scan, and put a checkmark next to each of the following objects:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm

Click the Fix button, when you're sure that files marked for deletion are correct.

Reboot into Safe Mode
by tapping F8 until the DOS screen appears.
press "Yes".
Use the up arrow to choose safe mode.
Hit enter. "OK" the choice.


Search for, locate and delete files or folders
To find them use: Start-->Search-->select "all files & folders"-->select "more advanced options"-->
check search "system folders", "hidden files & folders" & "sub-folders".
You may also navigate to the appropriate folder, right-click-->delete individual files.
(They may not exist, the previous steps may have eliminated them. We're double-checking some of these)
Do not delete main folders like C:\WINDOWS or C:\Program Files
.

Delete manually:

C:\WINDOWS\about.htm

Reboot your computer to go back to normal mode.

Run HijackThis again and post the new log as a reply to this post.
(Include comments regarding any problems you might have had,
and let us know if its working better. Some additional options may exist)

Edited by phawgg, 21 February 2005 - 03:16 PM.

patiently patrolling, plenty of persisant pests n' problems ...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users