Jump to content


Photo

Hijack This log


  • Please log in to reply
5 replies to this topic

#1 tekwrite

tekwrite

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 12 June 2004 - 09:41 AM

I need help with this hijack this log. Thank you.

Logfile of HijackThis v1.97.7
Scan saved at 5:34:56 PM, on 6/11/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
D:\PROGRAMS\ROXIO\GOBACK\GBPOLL.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
D:\PROGRAMS\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
D:\PROGRAMS\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTSERVICE.EXE
D:\PROGRAMS\NET NANNY\NNSVC.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
D:\PROGRAMS\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTTRAYAPP.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
D:\PROGRAMS\NET NANNY\NNTRAY.EXE
D:\PROGRAMS TO BE INSTALLED\FRAMXPRO\FREERAM XP PRO 1.40.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\RSRCMTR.EXE
C:\PROGRAM FILES\LINKSYS\WMP11 CONFIG UTILITY\WMP11CFG.EXE
D:\PROGRAMS\ROXIO\GOBACK\GBTRAY.EXE
D:\PROGRAMS\MICROSOFT REFERENCE\BOOKSHELF 99\QSHELF99.EXE
D:\PROGRAMS\LOGITECH\PROFILER\LWEMON.EXE
C:\WINDOWS\SYSTEM\OLAB.EXE
C:\WINDOWS\SYSTEM\BYBX21Y.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\ALL USERS\DESKTOP\UTILITIES\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.srh.noaa....city=Blacksburg
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\PROGRAMS\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\REAL\TOOLBAR\REALBAR.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Programs\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,CMNUpdateOnBoot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] D:\Programs\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [NPROTECT] D:\Programs\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [fash] C:\WINDOWS\fash.exe
O4 - HKLM\..\Run: [39CA3EB28KX@9H] C:\WINDOWS\SYSTEM\WditARpr.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NNTray] D:\PROGRAMS\NET NANNY\nnstart.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [GoBack Polling Service] d:\Programs\Roxio\GoBack\GBPoll.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [NPROTECT] D:\Programs\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [GhostStartService] D:\PROGRAMS\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTSERVICE.EXE
O4 - HKLM\..\RunServices: [NNSvc] D:\PROGRAMS\NET NANNY\nnsvc.exe
O4 - HKCU\..\Run: [Start WingMan Profiler] "d:\Programs\Logitech\Profiler\lwtest.exe" /detect /quiet /launch "d:\Programs\Logitech\Profiler\lwemon.exe /noui"
O4 - HKCU\..\Run: [WAPI] C:\WINDOWS\SYSTEM\wtssvsu.exe
O4 - HKCU\..\Run: [FreeRAM XP] "D:\PROGRAMS TO BE INSTALLED\FRAMXPRO\FREERAM XP PRO 1.40.EXE" -win
O4 - HKCU\..\RunServices: [Start WingMan Profiler] "d:\Programs\Logitech\Profiler\lwtest.exe" /detect /quiet /launch "d:\Programs\Logitech\Profiler\lwemon.exe /noui"
O4 - HKCU\..\RunServices: [WAPI] C:\WINDOWS\SYSTEM\wtssvsu.exe
O4 - HKCU\..\RunServices: [FreeRAM XP] "D:\PROGRAMS TO BE INSTALLED\FRAMXPRO\FREERAM XP PRO 1.40.EXE" -win
O4 - Startup: RSRCMTR.EXE
O4 - Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
O4 - Startup: GoBack.lnk = d:\Programs\Roxio\GoBack\GBTray.exe
O4 - Startup: AdsGone 2004.lnk = D:\Programs\AdsGone\adsgone.exe
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7962.5463657407
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave...ownloadCtrl.cab
O16 - DPF: Metakenkoh Applets - https://beta.bodymed...mmetakenkoh.cab

#2 baskar1234

baskar1234

    Member

  • Trusted Advisor
  • Pip
  • 99 posts

Posted 12 June 2004 - 10:04 AM

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
Hello,

Please download and run Peperfix.exe from the link below.

Here

Reboot.

Close all browser windows .Run hijckthis. Hit scan button. Put a check mark on the following entries and hit FIX CHECKED button.

O4 - HKLM\..\Run: [fash] C:\WINDOWS\fash.exe
O4 - HKLM\..\Run: [39CA3EB28KX@9H] C:\WINDOWS\SYSTEM\WditARpr.exe

O4 - HKCU\..\Run: [WAPI] C:\WINDOWS\SYSTEM\wtssvsu.exe
O4 - HKCU\..\Run: [WAPI] C:\WINDOWS\SYSTEM\wtssvsu.exe

O16 - DPF: Metakenkoh Applets - https://beta.bodymed...mmetakenkoh.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab

Reboot into safe mode .Unhide all files and folders.

How to unhide file and folders

How to boot into safe mode

Delete the following.

C:\WINDOWS\fash.exe -- FILE

C:\WINDOWS\SYSTEM\wtssvsu.exe -- FILE

Reboot , rescan with Hijackthis and post a fresh log.

Good Luck.

Edited by baskar1234, 12 June 2004 - 10:05 AM.


#3 tekwrite

tekwrite

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 12 June 2004 - 10:41 AM

Thanks I will try all of those.

#4 tekwrite

tekwrite

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 12 June 2004 - 11:56 AM

Here is the revised hijack this log. The metakenkoh references are to a legitimate game my son was reviewing.


Logfile of HijackThis v1.97.7
Scan saved at 12:22:16 PM, on 6/12/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
D:\PROGRAMS\ROXIO\GOBACK\GBPOLL.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
D:\PROGRAMS\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
D:\PROGRAMS\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTSERVICE.EXE
D:\PROGRAMS\NET NANNY\NNSVC.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
D:\PROGRAMS\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTTRAYAPP.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
D:\PROGRAMS TO BE INSTALLED\FRAMXPRO\FREERAM XP PRO 1.40.EXE
D:\PROGRAMS\NET NANNY\NNTRAY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\RSRCMTR.EXE
C:\PROGRAM FILES\LINKSYS\WMP11 CONFIG UTILITY\WMP11CFG.EXE
D:\PROGRAMS\ROXIO\GOBACK\GBTRAY.EXE
D:\PROGRAMS\ADSGONE\ADSGONE.EXE
D:\PROGRAMS\LOGITECH\PROFILER\LWEMON.EXE
C:\WINDOWS\ALL USERS\DESKTOP\UTILITIES\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.srh.noaa....city=Blacksburg
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\PROGRAMS\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\REAL\TOOLBAR\REALBAR.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Programs\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,CMNUpdateOnBoot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] D:\Programs\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [NPROTECT] D:\Programs\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NNTray] D:\PROGRAMS\NET NANNY\nnstart.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [GoBack Polling Service] d:\Programs\Roxio\GoBack\GBPoll.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [NPROTECT] D:\Programs\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [GhostStartService] D:\PROGRAMS\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTSERVICE.EXE
O4 - HKLM\..\RunServices: [NNSvc] D:\PROGRAMS\NET NANNY\nnsvc.exe
O4 - HKCU\..\Run: [Start WingMan Profiler] "d:\Programs\Logitech\Profiler\lwtest.exe" /detect /quiet /launch "d:\Programs\Logitech\Profiler\lwemon.exe /noui"
O4 - HKCU\..\Run: [FreeRAM XP] "D:\PROGRAMS TO BE INSTALLED\FRAMXPRO\FREERAM XP PRO 1.40.EXE" -win
O4 - Startup: RSRCMTR.EXE
O4 - Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
O4 - Startup: GoBack.lnk = d:\Programs\Roxio\GoBack\GBTray.exe
O4 - Startup: AdsGone 2004.lnk = D:\Programs\AdsGone\adsgone.exe
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7962.5463657407
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave...ownloadCtrl.cab
O16 - DPF: Metakenkoh Applets - https://beta.bodymed...mmetakenkoh.cab

#5 baskar1234

baskar1234

    Member

  • Trusted Advisor
  • Pip
  • 99 posts

Posted 12 June 2004 - 12:32 PM

Hello,.

Close all browser windows . Run Hijackthis and fix these entries.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =


Except for these your log looks clean. Are you having any problems now, if so, do tell us.

And that 016 entry , the applet will be installed after you visit that site again for reviewing that game. There is actually no harm in fixing it with Hijackthis .
Sorry i didnt mention this in my previous post.

#6 tekwrite

tekwrite

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 12 June 2004 - 01:17 PM

Thanks again. Actually the game is installed on the computer and is not on the web.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button