Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

hijackthis.log -


  • This topic is locked This topic is locked
4 replies to this topic

#1 mapostolidis

mapostolidis

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:39 AM

Posted 12 December 2004 - 10:16 PM

Hello,

Below is a log file from hijack this. I am trying to help out a friend. ANy help on what we should remove or keep would be greatly appreciated. Please let me know if you need anything from me, like details of symptoms or other info. Thank you!

Michael



Logfile of HijackThis v1.97.7
Scan saved at 8:42:56 PM, on 12/12/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\TDOLE2S.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\NETZERO\EXEC.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\CXTPLS\CXTPLS.EXE
C:\MY DOCUMENTS\MY DOWNLOADS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.e4me.com/start.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\PROGRAM FILES\NZSEARCH\SEARCHENH1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\LOCALNRD.DLL
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\PROGRAM FILES\CXTPLS\CXTPLS.DLL
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\SYSTB.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\PROGRAM FILES\NETZERO\TOOLBAR.DLL
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\PROGRAM FILES\NETZERO\TOOLBAR.DLL
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\SYSTEM\winupdtl.exe
O4 - HKLM\..\Run: [saie] c:\windows\system\saie.exe
O4 - HKLM\..\Run: [rhqbgakc] C:\WINDOWS\SYSTEM\jfclvm.exe
O4 - HKLM\..\Run: [CONSCORR] C:\WINDOWS\CONSCORR.exe
O4 - HKLM\..\Run: [CSV7P70] \Progra~1\CSBB\CSV7P070.EXE
O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [krkbud] C:\WINDOWS\krkbud.exe
O4 - HKLM\..\Run: [TDOLE2S] C:\WINDOWS\SYSTEM\TDOLE2S.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w
O4 - HKCU\..\Run: [NetZero_uoltray] C:\PROGRAM FILES\NETZERO\EXEC.EXE regrun
O4 - HKCU\..\Run: [DR_S] C:\Program Files\DR_S\DR_S.exe
O4 - HKCU\..\Run: [bovqRWanl] CDFET35.EXE
O4 - HKLM\..\RunOnce: [SpyBotSnD] "C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE" /autocheck
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Real.com (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.e4me.com/start.html
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7919.6727083333
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...399/mcfscan.cab

BC AdBot (Login to Remove)

 


#2 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:05:39 AM

Posted 13 December 2004 - 05:00 PM

I'm taking a look at this one...pskelley
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#3 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:05:39 AM

Posted 13 December 2004 - 07:30 PM

Hello Michael, Welcome to BleepingComputer.com. Your friend does have some nasty stuff, and is not running an antivirus program. I also see no firewall and I need to suggest that Internet Explorer needs updating to v6.0 along with the critical patches for IE and ME.

If you wish to help your friend, then please follow these steps:

1) Download and install a antivirus program, an online scan will not give you any protection at all. Here are three free versions to choose from:

http://free.grisoft.com/freeweb.php
http://www.avast.com/eng/avast_4_home.html
http://www.my-etrust.com/microsoft/index.c...582BE49AF2FC446

2) Install a firewall, here are two free ones to choose from:

http://www.zonelabs.com/store/content/comp...reeDownload.jsp
http://smb.sygate.com/products/spf_standard.htm

3) Go to Windows Updates and install all the critical stuff Microsoft suggests for this computer.

4) I see Spybot, but do you have Ad-aware. I want you to use the two links below to make sure you have Ad-aware SE Personal and Spybot S&D 1.3. Use the tutorials to make sure your programs are updated, configured exactly as the tutorials suggest and run removing anything located as per the instructions. You may disregard any DSO Exploits, as this is a glitch in Spybot that will be fixed with the next updates. Please note anything these two programs can't fix and post that information with your next log.
Ad-aware:
http://www.bleepingcomputer.com/forums/ind...showtutorial=48
Spybot:
http://www.bleepingcomputer.com/forums/ind...showtutorial=43

5) Run at least two of these free online scans having them fix or clean anything located. Note anything that can't be fixed:
http://housecall.trendmicro.com/
http://www.pandasoftware.com/activescan/co...n_principal.htm
http://www.bitdefender.com/scan/license.php
http://www.kaspersky.com/scanforvirus.html
http://www.ravantivirus.com/scan/

6) Run at least one of these free online scans with the same intructions:
http://www.windowsecurity.com/trojanscan/
http://scan.sygatetech.com/pretrojanscan.html

7) Your HijackThis version is outdated, you can update from within the program like this: "Config"=>"Misc Tools"=>"Check for updates online" While you are doing this, please look at the positioning of the HijackThis.exe. The program needs to have it's own folder to store backups for safety and logs you will create. I suggest you do this. In MyDocuments, create a new folder and call it HJT. When you download the new version, direct it to that folder. Then delete the old version. It will then look like this: C:\MyDocuments\HJT\HijackThis.exe.

8) Run cleanmgr: Start, Run type "cleanmgr" without the quotes then ok. Allow windows to remove anything it locates. Empty the recycle bin and restart the computer. Then using Add Reply to stay in this same thread, post a new log along with your comments from the above scans, and any other feedback you think we should have. There will be more to do.

Thanks...pskelley
BleepingComputer.com

Edited by pskelley, 13 December 2004 - 07:34 PM.

MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#4 mapostolidis

mapostolidis
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:39 AM

Posted 13 December 2004 - 11:55 PM

Hi.

Thank you for your reply. I appreciate your help on this. I am trying to download ad-aware software now but the system seems to be busy and it is not downloading.

Many of the measure you suggested seem to be preventative. Was there anything I can remove based on the hijackthis.log file that I posted to get rid of the problem? My friends system is very slow because of the hijacking, so upgrading her security while this hijacker is still on board is going to be difficult. I can repost the log with the newer version of hijackthis if needed. Please let me know what you think.

Michael

#5 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:05:39 AM

Posted 14 December 2004 - 06:14 AM

Hello Michael, I must point that you have brought me a computer that is in fairly bad shape. I can see a lot of bad adware, and what appears to be trojans, and who knows what I can't see. The tools in the scan do a far better job of removing the worse of this stuff leaving (hopefully) little to be removed manually with HJT. HijackThis just can't get into the areas these scans can. I must also say that the lack of an active antivirus program and a firewall are the reason you have these issues in the first place. I set the fix up in the order it should be done for maximum efficiency. Step one, getting a antivirus program in place is vip, as reinfection without one can occur quickly online. Step two is also important and many bad items find their way onto the computer through open ports. I will say, as important as the updates in Step three are, you can wait until you are clean to do Critical Updates at Microsoft. I would also have to say that if directions have been followed, these steps should have been completed prior to downloading Ad-aware. If you wish, you can download Spybot, follow the direction and then run it, removing the bad stuff it finds, then try Ad-aware again. You may also run the free online scans in any order you wish. I do appreciate that this is difficult, I have no objections to posts such as this for directions, when malware writers create this garbage, the do so realizing someone out here is going to try to remove it, and they create it with that in mind. To recap for you:

Numbered items:

1) A must

2) A must

3) As soon a possible

4, 5, 6) All of these scans are important, but you may do them in any order,
please make sure to read the tutorials for Ad-aware and Spybot carefully.
You may use the Safe Mode if it will help: http://www.bleepingcomputer.com/forums/ind...torial=61#winxo

7) Just needs to be completed before you post the next log.

I hope this helps, keep me posted, thanks...pskelley
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users