Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Log - Appreciating the Help!


  • This topic is locked This topic is locked
5 replies to this topic

#1 larrysnatch

larrysnatch

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:12:23 AM

Posted 19 August 2004 - 10:47 AM

Below is my HJT Log after having ran Spybot & Adaware. Please review in hopes that I do not have any drastic issues.

PS: Could I modify any of my computer settings to limit/prevent spyware? I scan my computer every week, and every time I have spyware.

Thanks in advance!


************************************************************
Logfile of HijackThis v1.98.2
Scan saved at 8:17:51 AM, on 8/19/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v5.50 SP1 (5.50.4522.1800)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\IAMAPP.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NETSHOW SERVICES\TOOLS\REXPROXY.EXE
C:\PROGRAM FILES\INTERNET CALL WAITING PC\CALLWAITING.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v4.windowsupdate.microsoft.com/
F1 - win.ini: run=Qtstub.exe
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.yahoo.com"); (C:\Program Files\Sympatico\Users\User1\prefs.js)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [nisserv] C:\Program Files\Norton Internet Security\NISSERV.EXE
O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Internet Call Waiting PC.lnk = C:\Program Files\Internet Call Waiting PC\CallWaiting.exe
O4 - Global Startup: NetShow PowerPoint Helper.lnk = C:\Program Files\NetShow Services\Tools\nsppthlp.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

BC AdBot (Login to Remove)

 


#2 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:10:23 PM

Posted 20 August 2004 - 12:43 PM

The only thing I see is WinTools..

Put a checkmark next to the following entries in HijackThis. Make sure all
other windows and browsers are closed before clicking on “Fix Checked”
.

O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

***********************************************************************

Boot into SAFE MODE by tapping the f8 key during boot up.

Delete the following:

C:\Program Files\Common files\WinTools\ <-- entire folder

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.

************************************************************************

Read this for prevention methods:
Groovicus’ Guide to Simple P.C. Security

#3 larrysnatch

larrysnatch
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:12:23 AM

Posted 20 August 2004 - 03:54 PM

Please note while waiting for a respone I scanned my PC using Norton Ant-virus (installed on the PC) and it found no viruses. I then scanned my PC again using Pandasoft (via the internet) and it found 6 infected files.

Why is this? Is my NAV that is installed on the PC corrupt? Can I rely on the NAV in future

#4 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:10:23 PM

Posted 20 August 2004 - 05:15 PM

Sometimes the online scanners are updated a bit faster..that's why I always recommend one in addition to your onboard AV. Where did it say it was finding the files?

Can I see a fresh log please? :D

#5 larrysnatch

larrysnatch
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:12:23 AM

Posted 22 August 2004 - 11:27 AM

Below are 2 of the 6 files that pandasoft online antivirus found to be infected, and by which my onboard NAV was not able to find:

VIRUSES *****************************************

Virus:Trj/Downloader.OG
Disinfected C:\hijackthis\backups\backup-20040816-221023-761.dll
Virus:W32/Magistr.B
Disinfected Personal Folders\Lorenzo\Software\You can verify\Troubleshooting.pif
******************************************************

Below is my Hijack this log after having removed wintools:

HIJACKTHIS LOG **************************************

Logfile of HijackThis v1.98.2
Scan saved at 11:50:32 AM, on 8/22/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v5.50 SP1 (5.50.4522.1800)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\IAMAPP.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\INTERNET CALL WAITING PC\CALLWAITING.EXE
C:\PROGRAM FILES\NETSHOW SERVICES\TOOLS\REXPROXY.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F1 - win.ini: run=Qtstub.exe
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.yahoo.com"); (C:\Program Files\Sympatico\Users\User1\prefs.js)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [nisserv] C:\Program Files\Norton Internet Security\NISSERV.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Internet Call Waiting PC.lnk = C:\Program Files\Internet Call Waiting PC\CallWaiting.exe
O4 - Global Startup: NetShow PowerPoint Helper.lnk = C:\Program Files\NetShow Services\Tools\nsppthlp.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

*****************************************************************

#6 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:10:23 PM

Posted 22 August 2004 - 11:31 AM

One of those files is in the HJT backups folder. That's a good place for it, because you can delete all the HJT backups.

The other one is in quarantine, and can no longer hurt anything. If you want, you can manually delete that file.

Your log is clean though. :D




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users