Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijac This log : Please help diagnose


  • Please log in to reply
1 reply to this topic

#1 gduv

gduv

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Colorado
  • Local time:04:09 AM

Posted 13 August 2005 - 11:07 PM

Logfile of HijackThis v1.99.1
Scan saved at 11:50:44 AM, on 8/13/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\PROGRAM FILES\ID-BLASTER PLUS\IDBLASTERPLUS.EXE
C:\PROGRAM FILES\UTILITIES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = IE F.Dove
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\PROGRA~1\FRESHD~1\FRESHD~1\FDCATCH.DLL
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\stimon.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE /min
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O15 - Trusted Zone: http://www.wellsfargo.com
O15 - Trusted Zone: http://www.windowsupdate.com
O15 - Trusted Zone: http://www.wamu.com
O15 - Trusted Zone: http://download.zonelabs.com
O15 - Trusted Zone: http://www.leechget.net
O15 - Trusted Zone: http://www.toatalspeed.net
O15 - Trusted Zone: http://members.totalspeed.net
O15 - Trusted Zone: http://mail.totalspeed.net
O15 - Trusted Zone: http://housecall.trendmicro.com
O15 - Trusted Zone: http://www.weather.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} -



I first noticed something amiss after using the updated Autoruns app and doing a search of odd registry keys. I have run updated spyware/ virus scans (8/12/05). Start-up log follows.


StartupList report, 8/13/05, 5:49:30 PM
StartupList version: 1.52.2
Started from : C:\PROGRAM FILES\UTILITIES\HIJACKTHIS.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\ID-BLASTER PLUS\IDBLASTERPLUS.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\PROGRAM FILES\UTILITIES\HIJACKTHIS.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
SystemTray = SysTray.Exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
StillImageMonitor = C:\WINDOWS\SYSTEM\stimon.exe
AVGCtrl = C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE /min
TaskMonitor = C:\WINDOWS\taskmon.exe
Zone Labs Client = C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
Tweak UI = RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Taskbar Display Controls = RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[AutorunsDisabled]
InCD = C:\Program Files\ahead\InCD\InCD.exe

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

[AutorunsDisabled]
SpybotSD TeaTimer = C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = C:\WINDOWS\NOTEPAD.EXE %1

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll power.drv

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 10/8/2005, 21:36:14)

[Rename]
NUL=C:\WINDOWS\SYSTEM\BROWSEUI.DLL
C:\WINDOWS\SYSTEM\BROWSEUI.DLL=C:\WINDOWS\SYSTEM\SET4084.TMP
NUL=C:\WINDOWS\SYSTEM\IEPEERS.DLL
C:\WINDOWS\SYSTEM\IEPEERS.DLL=C:\WINDOWS\SYSTEM\SET40A2.TMP
NUL=C:\WINDOWS\SYSTEM\MSHTML.DLL
C:\WINDOWS\SYSTEM\MSHTML.DLL=C:\WINDOWS\SYSTEM\SET40B1.TMP
NUL=C:\WINDOWS\SYSTEM\SHDOCVW.DLL
C:\WINDOWS\SYSTEM\SHDOCVW.DLL=C:\WINDOWS\SYSTEM\SET40C2.TMP
NUL=C:\WINDOWS\SYSTEM\SHLWAPI.DLL
C:\WINDOWS\SYSTEM\SHLWAPI.DLL=C:\WINDOWS\SYSTEM\SET40D1.TMP
NUL=C:\WINDOWS\SYSTEM\URLMON.DLL
C:\WINDOWS\SYSTEM\URLMON.DLL=C:\WINDOWS\SYSTEM\SET40E0.TMP
NUL=C:\WINDOWS\SYSTEM\WININET.DLL
C:\WINDOWS\SYSTEM\WININET.DLL=C:\WINDOWS\SYSTEM\SET40E6.TMP

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

C:\essolo.com
Set tvdumpflags=10
MSCDEX /D:MSCD001 /V
Set tvdumpflags=10

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\PROGRA~1\FRESHD~1\FRESHD~1\FDCATCH.DLL - {206E52E0-D52E-11D4-AD54-0000E86C26F6}
(no name) - (no file) - AutorunsDisabled
SpywareGuard Download Protection - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL - {4A368E80-174F-4872-96B5-0B27DDD11DB2}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job
Windows Critical Update Notification.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...8413.6743055556

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN53.OCX
CODEBASE = http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

[{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA}]

--------------------------------------------------
End of report, 5,751 bytes
Report generated in 0.518 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only



I really do thank you folks for your help. I'd rather get it right than screw up my registry.
I can be contacted at personal messages for : gduv or can be contacted at my e-mail addy fatdove52@dovegardens.com . Thank you a ton.
Much health and happiness to you and yours.


Apple IBook/ OS X 10.2.8/ Camino 1.03/I-Cab/Safari 1.03/
and a Frog in a Tuxedo

7450 I-Mac, G4/ 1.2 ghrz/1.5gb RAM/ single core/OS X 10.5.8/ Camino/ Neo Office/Seashore/ Bean/ Java update

BC AdBot (Login to Remove)

 


m

#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:06:09 AM

Posted 15 August 2005 - 10:39 PM

Hello gduv and welcome to the BC HijackThis forum. I do not see any problems in this log. It is clean.

If you are having any specific issues at this time please provide the details of the problem and I can point you to the correct forum.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users