Help required with hijackthis.log

Discussion in 'adware, spyware & hijack cleaning' started by robcat, May 13, 2004.

Thread Status:
Not open for further replies.
  1. robcat

    robcat Registered Member

    Joined:
    May 13, 2004
    Posts:
    2
    Which of these files can I safely delete?? This bug is driving me nuts!!

    Logfile of HijackThis v1.97.7
    Scan saved at 1:49:50 PM, on 5/13/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\OfficeScan NT\ntrtscan.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\OfficeScan NT\tmlisten.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\Program Files\Softex\Winroute\WinRServ.exe
    C:\Program Files\Softex\Winroute\WinRoute.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\OfficeScan NT\ofcdog.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\pctspk.exe
    C:\WINNT\System32\hkcmd.exe
    C:\WINNT\system32\PRPCUI.exe
    C:\Program Files\DELL\AccessDirect\dadapp.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\OfficeScan NT\pccntmon.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\rctpmef.exe
    C:\WINNT\system32\wjkblff.exe
    C:\WINNT\system32\hpdllhost.exe
    C:\WINNT\system32\QuikSearch.exe
    C:\PROGRA~1\INTERN~2\inetmgr.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\PROGRA~1\INTERN~2\inetsvc.exe
    C:\Program Files\Dell TrueMobile 1150\Client Manager\CMDEL.EXE
    c:\Program Files\PestPatrol\ppcontrol.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Adobe\Acrobat 5.0\Acrobat\Acrobat.exe
    C:\Program Files\Common Files\Adobe\Web\AOM.exe
    C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\Documents and Settings\Administrator\Local Settings\Temp\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bnl.gov/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://government.dellnet.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.uchase.com/directory.php?a=1006
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.uchase.com/directory.php?a=1006
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://security.bnl.gov/proxy/cfg.pac
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.44:3128
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
    O2 - BHO: (no name) - {00000000-0000-0000-8835-3EFF76BF2657} - C:\WINNT\system32\kw3eef76.dll
    O2 - BHO: (no name) - {00000000-0000-0000-BFA1-D7EE6696B865} - C:\WINNT\system32\icdd7ee6.dll
    O2 - BHO: (no name) - {00000000-0000-41a3-98CF-00000000168B} - C:\WINNT\system32\wm41a398.dll
    O2 - BHO: (no name) - {00000000-0000-47c5-A90F-2CDE8F7638DB} - C:\WINNT\system32\iel2cde8.dll
    O2 - BHO: (no name) - {000E6ED5-E3FC-4c93-99E9-D38D2A9F9B09} - C:\WINNT\system32\he3e3fc4.dll
    O2 - BHO: (no name) - {046D6EA4-15E3-4b27-8010-45BD78A9219E} - C:\PROGRA~1\INTERN~2\inetkw.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: (no name) - {223405EC-01F9-48a2-BDBB-D519913E2765} - C:\WINNT\system32\li01f948.dll
    O3 - Toolbar: (no name) - {EFEE6B59-ADDB-40eb-BA2C-AF860F5B42B5} - C:\WINNT\system32\readdb40.dll
    O3 - Toolbar: (no name) - {28A19C3E-91E4-4bca-A623-BAF3C43C4F49} - C:\WINNT\system32\si91e44b.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
    O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
    O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [ntli] C:\WINNT\system32\ntli.exe
    O4 - HKLM\..\Run: [hpsysconf1] C:\WINNT\system32\rctpmef.exe
    O4 - HKLM\..\Run: [nssysconf] C:\WINNT\system32\wjkblff.exe
    O4 - HKLM\..\Run: [kw3eef76] rundll32.exe C:\WINNT\system32\kw3eef76.dll,EnableRunDLL32
    O4 - HKLM\..\Run: [li01f948] rundll32.exe C:\WINNT\system32\li01f948.dll,EnableRunDLL32
    O4 - HKLM\..\Run: [000hpdllhost] C:\WINNT\system32\hpdllhost.exe
    O4 - HKLM\..\Run: [si91e44b] rundll32.exe C:\WINNT\system32\si91e44b.dll,EnableRunDLL32
    O4 - HKLM\..\Run: [readdb40] rundll32.exe C:\WINNT\system32\readdb40.dll,EnableRunDLL32
    O4 - HKLM\..\Run: [he3e3fc4] rundll32.exe C:\WINNT\system32\he3e3fc4.dll,EnableRunDLL32
    O4 - HKLM\..\Run: [iel2cde8] rundll32.exe C:\WINNT\system32\iel2cde8.dll,EnableRunDLL32
    O4 - HKLM\..\Run: [icdd7ee6] rundll32.exe C:\WINNT\system32\icdd7ee6.dll,EnableRunDLL32
    O4 - HKLM\..\Run: [QuikSearch] C:\WINNT\system32\QuikSearch.exe
    O4 - HKLM\..\Run: [wm41a398] rundll32.exe C:\WINNT\system32\wm41a398.dll,EnableRunDLL32
    O4 - HKLM\..\Run: [inetmgr] C:\PROGRA~1\INTERN~2\inetmgr.exe
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O12 - Plugin for .org/getpdf/servlet/GetPDFServlet?filetype=pdf&id=PRBMDO000061000020013397000001&idtype=cvips: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/30964620ebeda0f26922/netzip/RdxIE601.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37580.2557523148
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bnl.gov
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bnl.gov
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = bnl.gov
     
  2. dave38

    dave38 Spyware Expert

    Joined:
    Feb 26, 2004
    Posts:
    377
    Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.


    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cus...://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...rch/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.uchase.com/directory.php?a=1006
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.uchase.com/directory.php?a=1006
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
    O2 - BHO: (no name) - {00000000-0000-0000-8835-3EFF76BF2657} - C:\WINNT\system32\kw3eef76.dll
    O2 - BHO: (no name) - {00000000-0000-0000-BFA1-D7EE6696B865} - C:\WINNT\system32\icdd7ee6.dll
    O2 - BHO: (no name) - {00000000-0000-41a3-98CF-00000000168B} - C:\WINNT\system32\wm41a398.dll
    O2 - BHO: (no name) - {00000000-0000-47c5-A90F-2CDE8F7638DB} - C:\WINNT\system32\iel2cde8.dll
    O2 - BHO: (no name) - {000E6ED5-E3FC-4c93-99E9-D38D2A9F9B09} - C:\WINNT\system32\he3e3fc4.dll
    O2 - BHO: (no name) - {046D6EA4-15E3-4b27-8010-45BD78A9219E} - C:\PROGRA~1\INTERN~2\inetkw.dll

    O3 - Toolbar: (no name) - {223405EC-01F9-48a2-BDBB-D519913E2765} - C:\WINNT\system32\li01f948.dll
    O3 - Toolbar: (no name) - {EFEE6B59-ADDB-40eb-BA2C-AF860F5B42B5} - C:\WINNT\system32\readdb40.dll
    O3 - Toolbar: (no name) - {28A19C3E-91E4-4bca-A623-BAF3C43C4F49} - C:\WINNT\system32\si91e44b.dll


    O4 - HKLM\..\Run: [ntli] C:\WINNT\system32\ntli.exe
    O4 - HKLM\..\Run: [hpsysconf1] C:\WINNT\system32\rctpmef.exe
    O4 - HKLM\..\Run: [nssysconf] C:\WINNT\system32\wjkblff.exe
    O4 - HKLM\..\Run: [kw3eef76] rundll32.exe C:\WINNT\system32\kw3eef76.dll,EnableRunDLL32
    O4 - HKLM\..\Run: [li01f948] rundll32.exe C:\WINNT\system32\li01f948.dll,EnableRunDLL32
    O4 - HKLM\..\Run: [000hpdllhost] C:\WINNT\system32\hpdllhost.exe
    O4 - HKLM\..\Run: [si91e44b] rundll32.exe C:\WINNT\system32\si91e44b.dll,EnableRunDLL32
    O4 - HKLM\..\Run: [readdb40] rundll32.exe C:\WINNT\system32\readdb40.dll,EnableRunDLL32
    O4 - HKLM\..\Run: [he3e3fc4] rundll32.exe C:\WINNT\system32\he3e3fc4.dll,EnableRunDLL32
    O4 - HKLM\..\Run: [iel2cde8] rundll32.exe C:\WINNT\system32\iel2cde8.dll,EnableRunDLL32
    O4 - HKLM\..\Run: [icdd7ee6] rundll32.exe C:\WINNT\system32\icdd7ee6.dll,EnableRunDLL32
    O4 - HKLM\..\Run: [QuikSearch] C:\WINNT\system32\QuikSearch.exe
    O4 - HKLM\..\Run: [wm41a398] rundll32.exe C:\WINNT\system32\wm41a398.dll,EnableRunDLL32
    O4 - HKLM\..\Run: [inetmgr] C:\PROGRA~1\INTERN~2\inetmgr.exe

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/3096462...ip/RdxIE601.cab

    Reboot, and delete

    files
    C:\WINNT\system32\ntli.exe
    C:\WINNT\system32\rctpmef.exe
    C:\WINNT\system32\wjkblff.exe
    C:\WINNT\system32\kw3eef76.dll
    C:\WINNT\system32\li01f948.dll
    C:\WINNT\system32\hpdllhost.exe
    C:\WINNT\system32\si91e44b.dll
    C:\WINNT\system32\readdb40.dll
    C:\WINNT\system32\he3e3fc4.dll
    C:\WINNT\system32\iel2cde8.dll
    C:\WINNT\system32\icdd7ee6.dll
    C:\WINNT\system32\wm41a398.dll
    C:\PROGRA~1\INTERN~2\inetmgr.exe
    C:\WINNT\system32\QuikSearch.exe

    These may be hidden files. See HERE for how to show hidden files.
     
  3. robcat

    robcat Registered Member

    Joined:
    May 13, 2004
    Posts:
    2
    Dave, thanks for your help but we seem to have deleted one too many files......

    In particular the computer is now continuously looking for

    C:\PROGRA~1\INTERN~2\inetkw.dll

    which we deleted. Can you help again.

    Thanks in advance

    Robcat
     
  4. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi robcat,

    If you believe there was a file there that should have stayed (and you know what it was used for) you can use the Backup feature in HijackThis to put it back. I noticed you were running Hijackthis from a Temp folder, so hopefully you have not lost the backups that would have been stored there. That is why we do say to put Hijackthis in it's own permanent folder, in case we need to restore from a backup.

    Open HijackThis and click on the Config... button in the lower right. Then click on the Backups button on the Configuration screen. Click the one you want to restore to highlight and choose it, then click the Restore button to the left. This will restore the file(s) that you think should be put back.

    Then please do another scan with Hijackthis and post a new log to be checked.

    Regards,

    snap
     
  5. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    It's looking for one of the files that was removed

    I think that unwittingly we removed part of M$ IIS


    please restore this file from recycle bin
    C:\PROGRA~1\INTERN~2\inetmgr.exe
    and do as Snap says and restore these lines in HJT
    O2 - BHO: (no name) - {046D6EA4-15E3-4b27-8010-45BD78A9219E} - C:\PROGRA~1\INTERN~2\inetkw.dll

    O4 - HKLM\..\Run: [inetmgr] C:\PROGRA~1\INTERN~2\inetmgr.exe


    please post a new log so we can check please
     
    Last edited: May 18, 2004
  6. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Hi Robcat

    we have done some more research on this, please ignore posts 4 & 5 by Snapdragon and myself, we have found out thet the missing file is a baddie and needs to go & isn't part of M$ IIS as we though it might be

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    O2 - BHO: (no name) - {046D6EA4-15E3-4b27-8010-45BD78A9219E} - C:\Program\INTERN~2\inetkw.dll

    O4 - HKLM\..\Run: [inetmgr] C:\Program\INTERN~2\inetmgr.exe

    Then reboot into safe mode and delete:
    C:\Program\INTERNET KEYWORD <= entire folder


    and then post a new HIjackthis log to check please
     
Thread Status:
Not open for further replies.