Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

can u help with my hijack log


  • This topic is locked This topic is locked
7 replies to this topic

#1 curly1880

curly1880

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:12:38 AM

Posted 05 October 2004 - 06:37 PM

Logfile of HijackThis v1.98.2
Scan saved at 7:35:37 PM, on 10/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\VetMsgNT.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\America Online 9.0c\aoltray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\Tyv5.exe
C:\WINDOWS\System32\Tyv5.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Family member\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F1 - win.ini: run=fntldr.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Core Library - {A23AB93D-6CFF-442c-BB8A-41F6145F47E7} - C:\WINDOWS\System32\PDF6a03.dll
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [3SAHCS#4MABT@T] C:\WINDOWS\System32\Nbm6sh0.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0c\aoltray.exe
O4 - Global Startup: EZ Firewall.lnk = C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} - http://install.wildtangent.com/bgn/partner...lim/install.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/mmed.cab





thanks a lot

BC AdBot (Login to Remove)

 


m

#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:38 AM

Posted 05 October 2004 - 10:20 PM

Someone is looking at your log now and will be with you shortly

#3 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:11:38 PM

Posted 05 October 2004 - 10:47 PM

Hello Curly1880 and welcome to Bleeping Computer.

You have HijackThis running from a temporary folder. Any backup files HJT creates during the repair process will not be secure if left in a temporary folder.

Create a folder on the C: drive called C:\HJT. You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT. Unzip HijackThis into this folder. Please delete any other copies of HijackThis and run HJT only from this new folder. If required a tutorial is here: Hijackthis Folder Tutorial

Be sure to complete the above step before continuing.


You have a Peper infection

Download the removal tool to the desktop: Peper Removal Tool

!YOU MUST BE ONLINE WHEN RUNNING IT and let is have access to pass the firewall.
!!Please run this twice with a reboot after both the first and second runs.

Start HJT and click on the SCAN button. Put a check mark in front of the following lines if they still show:

F1 - win.ini: run=fntldr.exe

O2 - BHO: Core Library - {A23AB93D-6CFF-442c-BB8A-41F6145F47E7} - C:\WINDOWS\System32\PDF6a03.dll
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)

O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)

O4 - HKLM\..\Run: [3SAHCS#4MABT@T] C:\WINDOWS\System32\Nbm6sh0.exe

O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/mmed.cab

WildTangent is normally considered malware, but may be needed for some online games. If you do not use it, also check the following line for removal:
O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} - http://install.wildtangent.com/bgn/partner...lim/install.cab

With ALL OTHER WINDOWS CLOSED, click on Fix Checked.

Reboot into Safe Mode and enable viewing of Hidden and System files. Open Windows Explorer (Windows key+e), drill down and delete the following files and folders if found:

C:\WINDOWS\System32\PDF6a03.dll <--File
C:\WINDOWS\System32\Nbm6sh0.exe <--File

Rehide Hidden and System Files.

Reboot into normal mode and post a new HJT log.
Derfram
~~~~~~

#4 curly1880

curly1880
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:12:38 AM

Posted 06 October 2004 - 06:15 PM

hey thanks for all that info i did all what u have told me. i have a question dealing with this program called "support.com" i cant uninstall it so can u help me doing that through my log well thanks for the help here it is


Logfile of HijackThis v1.98.2
Scan saved at 7:14:08 PM, on 10/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\VetMsgNT.exe
C:\Program Files\America Online 9.0c\aoltray.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Family member\Desktop\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0c\aoltray.exe
O4 - Global Startup: EZ Firewall.lnk = C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab

#5 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:11:38 PM

Posted 06 October 2004 - 07:15 PM

Rechecking the log now, I'll report on that soon.

I don't see any reference to "support.com" in your log.
What can you tell me about the program? Where do you see it listed?

If it's an icon, please right click on it and select properties. Under the Version tab, check to see what the company name is and any other info that may help identify it.
Derfram
~~~~~~

#6 curly1880

curly1880
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:12:38 AM

Posted 06 October 2004 - 07:23 PM

i got this info from my firewall b/c it donest have a icon i havent seen it much i think i go tride of it but maybe i didnt
C:\programfiles\support.com\bin\tgcmd.exe

Support.com Scheduler and Command Dispatcher

Verison 5,5,624,0

size: 1800 kb

i dont no if that is useful but really if u dont see anything dont worry about it thanks for ur help how to hear back

#7 curly1880

curly1880
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:12:38 AM

Posted 06 October 2004 - 07:35 PM

ok i looked under "add or remove programs" and it is listed as "pipline support agent" and when i say to uninstalll ir says its already uninstalled and it asked me if i wanted to remove it from my list ??

#8 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:11:38 PM

Posted 07 October 2004 - 12:26 PM

What you just found in add/remove programs is consistant with what I had found researching support.com. Yes, just go ahead and have add/remove programs remove the listing.

As for the log.... Great job! The log is clean.


Now that you are clean, here are some simple steps to help keep your computer clean and secure:

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. If there are new critical updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates. This will ensure your computer is up to date and the operating system is safe from the latest threats.


Use an AntiVirus Software - It is very important that you have an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

Equally as important is that you keep your AV up to date. Set it to auto-update if that option is available, otherwise update it at least weekly. If you do not keep your antivirus current, then it will not be able to catch any of the new variants that may come out.

Here are some of the more popular AV products.

Symantec/Norton Antivirus: http://www.symantec.com/nav/nav_9xnt/
Kaspersky AV: http://www.kaspersky.com/buyonline.html?info=25
Nod32: http://www.nod32.com/home/home.htm
Panda AV: http://www.pandasoftware.com/
McAfee Virusscan: http://us.mcafee.com/root/package.asp?pkgid=100
AVG Anti-Virus (Free version available) http://www.grisoft.com/

Norton is the most popular and one of the best. Many security junkies swear by Kapersky or Nod32. AVG is liked by many as it has a free version.


Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly.

The firewall built into Windows XP is better than nothing, but third party firewalls offer more complete protection. A very good firewall, with a free for personal use version, is ZoneAlarm, available from Zone Labs. Firewalls are also part of the Symantec and McAfee Security Suites.

You can test your firewall at one of the following sites:
Symantec Security: http://security.symantec.com
Gibson Research: http://www.grc.com (follow the links to Shield's-Up!)
DSL Reports Port Scanner: http://www.dslreports.com/scan

For a more in-depth tutorial, and an expanded listing of available firewalls, see
Understanding and Using Firewalls.


Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialize and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub-frames across different domains to Prompt
    • When all these settings have been made, click on the OK button.
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.
A in-depth treatise on IE privacy and security by Eric Howes can be found here


Install Spybot - Search and Destroy - Download and install the latest version of Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer as an adjunct to your virus protection. Keep this program updated and scan your system periodically with it just as you do with your antivirus software.

A tutorial on installing & using this product can be found at:
Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers


Install Ad-Aware SE - Download and install the latest version of Ad-Aware SE. Keep this program updated and use it to scan for malware on a regular basis just as you would an antivirus software in conjunction with Spybot.

A tutorial on installing & using this product can be found at:
Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer


Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from downloading and running known malicious programs.

A tutorial on installing & using this product can be found at:
Using SpywareBlaster to protect your computer from Spyware and Malware


Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Finally, practice safe computer habits. Don't click on strange email attachments thinking your AV will defend you. Usually it will, but sometimes it won't.

Follow this list and your potential for being infected again will be dramatically reduced.
Derfram
~~~~~~




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users