Jump to content


Photo

hijack this log help


  • Please log in to reply
5 replies to this topic

#1 dizzletinizzle

dizzletinizzle

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 08 June 2004 - 01:27 PM

Here is my Hijack This log I noticed a link for xxxtoolbar but they may be more issues in here, im not sure...

Logfile of HijackThis v1.97.7
Scan saved at 2:21:44 PM, on 6/8/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\ptsnoop.exe
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\WT\UPDATER\WCMDMGR.EXE
C:\PROGRAM FILES\ISTSVC\ISTSVC.EXE
C:\PROGRAM FILES\INTERNET OPTIMIZER\OPTIMIZE.EXE
C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE
C:\WINDOWS\SYSTEM\SVCHOST.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\RYDRRTKWBP.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0D\AOLTRAY.EXE
C:\WINDOWS\SYSTEM\ZSTATUS.EXE
C:\PROGRAM FILES\INTERNET OPTIMIZER\ACTALERT.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0D\WAOL.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0D\SHELLMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0D\AOLWBSPD.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ezcybersearch.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.ezcybersearch.com/search
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\NEM218.DLL
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\BI.DLL
O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\WSEM218.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [hp 1000 firmware] C:\Program Files\hp LaserJet 1000\fwdl.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [msbb] c:\program files\180solutions\msbb.exe
O4 - HKLM\..\Run: [BELT] C:\WINDOWS\BELT.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [System Update2] c:\windows\system\svchost.exe
O4 - HKCU\..\Run: [cv051cnrz1] C:\WINDOWS\RYDRRTKWBP.EXE
O4 - Startup: UPS Online PLD Reminder Utility.lnk = C:\UPS\UOWS\PldReminder.exe
O4 - Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0d\aoltray.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .avi: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macrom...abs/swflash.cab
O16 - DPF: {DA9A0B1E-9B7B-11D3-B8A4-00C04F79641C} (NSUpdateLiteCtrl Class) - http://xbs.mtree.com.../us/NSupd9x.cab
O16 - DPF: {EF86873F-04C2-4A95-A373-5703C08EFC7B} (Installer Class) - http://www.xxxtoolba...s/v3.0/0006.cab
O16 - DPF: {11111111-1111-1111-1111-111111111111} - mhtml:file://C:NXSFT.MHT!http://69.31.85.219:80/iex/ofile.exe
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net



Also, I used CWShredder and removed files that were attached to Windows Media Player. During the scanning though, it mentioned that there were a few programs that were potentially created randomly by a spyware program, including rydrrtkwbp.exe, hav38jetg8.exe, 38hi9konrm.exe, ae55ozga5w.exe (all located in C:\WINDOWS\). Are these files dangerous, and if so should I run CWShredder to remove them? Thank you in advance.

#2 [Red]

[Red]

    Developer

  • Full Member
  • Pip
  • 20 posts

Posted 08 June 2004 - 01:43 PM

Hi dizzletinizzle,

Well, those files "could" be dangerous or could be broken and useless. Only way to make sure is use CWShredder to remove them or go into safe mode and delete them yourself.

Well, just from browsing your log I found some items that probibly are causing most of your problems.
  • R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
  • O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\BI.DLL
  • O16 - DPF: {EF86873F-04C2-4A95-A373-5703C08EFC7B} (Installer Class) - http://www.xxxtoolba...s/v3.0/0006.cab
  • O16 - DPF: {11111111-1111-1111-1111-111111111111} - mhtml:file://C:NXSFT.MHT!http://69.31.85.219:80/iex/ofile.exe
  • O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe
After you delete those entries:
  • Reboot into safe mode
  • Delete: C:\WINDOWS\BI.DLL
  • Delete: C:NXSFT.MHT!
  • Delete (if found): C:\windows\rydrrtkwbp.exe
    C:\windows\hav38jetg8.exe
    C:\windows\38hi9konrm.exe
    C:\windows\ae55ozga5w.exe
  • Make sure c:\Recycled\1.exe is deleted
  • Reboot and post a new log and if it is still effecting you.

Edited by [Red], 08 June 2004 - 01:52 PM.


#3 dizzletinizzle

dizzletinizzle

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 08 June 2004 - 02:05 PM

Logfile of HijackThis v1.97.7
Scan saved at 3:02:13 PM, on 6/8/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ezcybersearch.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.ezcybersearch.com/search
O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\NEM218.DLL
O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\WSEM218.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [hp 1000 firmware] C:\Program Files\hp LaserJet 1000\fwdl.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [msbb] c:\program files\180solutions\msbb.exe
O4 - HKLM\..\Run: [BELT] C:\WINDOWS\BELT.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [System Update2] c:\windows\system\svchost.exe
O4 - HKCU\..\Run: [cv051cnrz1] C:\WINDOWS\RYDRRTKWBP.EXE
O4 - Startup: UPS Online PLD Reminder Utility.lnk = C:\UPS\UOWS\PldReminder.exe
O4 - Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0d\aoltray.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .avi: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macrom...abs/swflash.cab
O16 - DPF: {DA9A0B1E-9B7B-11D3-B8A4-00C04F79641C} (NSUpdateLiteCtrl Class) - http://xbs.mtree.com.../us/NSupd9x.cab


Things already seem to be moving much faster than they have been, thank you. I also now have a lot of backup files on my desktop, 2 .dll and the others with no exstension. should I just delete them also?

#4 [Red]

[Red]

    Developer

  • Full Member
  • Pip
  • 20 posts

Posted 08 June 2004 - 04:45 PM

Hi again,

Move them into a folder named "Hijackthis" in your C drive, along with the .exe of hijackthis.

Along with that, it seems you made your new log in safe mode, please reboot into normal mode and post a new log.

Also, do you know what these programs are? I am not sure if they are a problem, but I am just wondering if you know about them.
  • O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
  • O4 - HKLM\..\Run: [BELT] C:\WINDOWS\BELT.exe
If you want to see if they are something that you dont want, goto Start > Run > msconfig

Then in the start up uncheck them and restart. If something goofs up cause of it to a point where you cant reopen msconfig, restart into safe mode to fix it.

I will look into them but for now, if you are up to it and know how to do what I suggested. Its worth a try to just disable them threw msconfig(startup) and not remove them threw hijackthis.

Edited by [Red], 08 June 2004 - 04:53 PM.


#5 TangleWeb

TangleWeb

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 08 June 2004 - 05:06 PM

"Belt.exe" is definitely spyware.

"PTSNOOP.EXE" relates to his modem. Leave that one.

~Dave

Edited by TangleWeb, 08 June 2004 - 05:07 PM.


#6 [Red]

[Red]

    Developer

  • Full Member
  • Pip
  • 20 posts

Posted 08 June 2004 - 05:11 PM

Thanks for your imput tangle, I just found that information aswell.


Well, with that said. Remove this item:
  • O4 - HKLM\..\Run: [BELT] C:\WINDOWS\BELT.exe
Then:
  • Reboot into safe mode
  • Delete: C:\WINDOWS\BELT.exe
  • Reboot into normal mode
  • Post new Hijackthis log and how your pc is runing

Edited by [Red], 08 June 2004 - 05:13 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button