Hijack This log help

I have run Ad-aware and then ran HiJack This. Here is the log ... Any help would be much appreciated. I'm running Win 2000 pro and have removed a bunch of bugs from this machine. (Backdoor and such).

Thank you,

pobox14

Logfile of HijackThis v1.97.7
Scan saved at 12:19:12 PM, on 5/27/2004
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINNT\Explorer.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINNT\System32\wuauclt.exe
C:\WINNT\system32\monitorbk.exe
C:\Documents and Settings\Hal O. Finney\My Documents\BILL\Hank\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = wsxx(<!t`h)bcdw vd0t"`f~
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = wsxx(<!t`h)bcdw vd0t"`f~
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.finneycorp.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = wsxx(<!t`h)bcdw vd0t"`f~
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = wsxx(<!t`h)bcdw vd0t"`f~
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = wsxx(<!t`h)bcdw vd0t"`f~
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = wsxx(<!t`h)bcdw vd0t"`f~
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = wsxx(<!t`h)bcdw vd0t"`f~
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = wsxx(<!t`h)bcdw vd0t"`f~
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\system32\msconfig.exe /auto
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /firstlogon
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) - http://www.meadroid.com/scriptx/ScriptX.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38030.6437037037
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://12.158.143.133/viewer/activeXViewer/activexviewer.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E7C44C86-0CD3-11D2-9311-00A0247A4E65} (J Walk ActiveX Client Control) - http://www.regalcorp.com/regalcorp/regallink/JWalkX/JWalkX.cab

 

Hi pobox14,

Looks good to me but the R1 entries look a bit funny to me (might be a language problem)

Regards,

Pieter

 

Pieter,

Thank you for checking. Any suggestions on the R1 entries?

Background ... in case you have any thoughts: Took all the viruses off, fixed a registry issue, now get:

"Cannot find the file 'rundll32.exe' (or one of its components). Make sure the path and filename are correct and that all required libraries are available." error and also:

"This Internet Shortcut cannot be opened because failed to run".

If you have any thoughts or suggestions ... I would be grateful.

pobox14

 

They look pretty much useless, so if you don't know where they came from either.

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = wsxx(<!t`h)bcdw vd0t"`f~
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = wsxx(<!t`h)bcdw vd0t"`f~

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = wsxx(<!t`h)bcdw vd0t"`f~
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = wsxx(<!t`h)bcdw vd0t"`f~
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = wsxx(<!t`h)bcdw vd0t"`f~
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = wsxx(<!t`h)bcdw vd0t"`f~
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = wsxx(<!t`h)bcdw vd0t"`f~
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = wsxx(<!t`h)bcdw vd0t"`f~

Then reboot and install IE6 SP1 from here:
http://www.microsoft.com/windows/ie/downloads/critical/ie6sp1/default.asp
(Select the correct language in the dropdownbox) and install all the updates issued after SP1.

Regards,

Pieter

 

Pieter,

Did as instructed above and it all went thru OK. But, I'm still getting the errors. Any other thoughts?? I believe I'm going to back up the files and reformat, but I wanted to see if you might have another way to go.

Thanks,

 

In HijackThis click Config > Misc Tools > Generate Startuplist
That will produce a text file. If I can't find it in there I'll give it up.

Regards,

Pieter

 

OK, here it is. Let me know your thoughts. I'm about to reformat ... but I may need your help with that. I can't seem to figure out how to get into bios. I'm on a DELL.

Here is the startuplist:

StartupList report, 6/3/2004, 4:09:44 PM
StartupList version: 1.52
Started from : C:\Documents and Settings\Hal O. Finney\My Documents\Fix bill\HijackThis.EXE
Detected: Windows 2000 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINNT\Explorer.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\efax\HotTray.exe
C:\WINNT\System32\MsiExec.exe
C:\WINNT\system32\spoolsv.exe
C:\Documents and Settings\Hal O. Finney\My Documents\Fix bill\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
Live Menu.lnk = C:\Program Files\Common Files\efax\Dllcmd32.exe
eFax.com Tray Menu.lnk = C:\Program Files\Common Files\efax\HotTray.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

McAfee Guardian = "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
Synchronization Manager = mobsync.exe /logon
SchedulingAgent = mstinit.exe /firstlogon
LoadQM = loadqm.exe
Alogserv = C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

msnmsgr = "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
McAfee.InstantUpdate.Monitor = "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINNT\system32\ssmarque.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Download Program Files:

[MeadCo ScriptX]
InProcServer32 = C:\WINNT\System32\MCScripX.dll
CODEBASE = http://www.meadroid.com/scriptx/ScriptX.cab
OSD = C:\WINNT\Downloaded Program Files\ScriptX.osd

[Shockwave ActiveX Control]
InProcServer32 = C:\WINNT\System32\macromed\Shockwave 10\Download.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[Update Class]
InProcServer32 = C:\WINNT\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38030.6437037037

[Crystal Report Viewer Control]
InProcServer32 = C:\WINNT\Downloaded Program Files\CRViewer.dll
CODEBASE = http://12.158.143.133/viewer/activeXViewer/activexviewer.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[J Walk ActiveX Client Control]
InProcServer32 = C:\WINNT\DOWNLO~1\JWalkX.ocx
CODEBASE = http://www.regalcorp.com/regalcorp/regallink/JWalkX/JWalkX.cab

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\Config.Msi\696ec.rbf||C:\Config.Msi\696ee.rbf||C:\Config.Msi\696f3.rbf|||s

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
SysTray: stobject.dll
WebCheck: C:\WINNT\System32\webcheck.dll
: *Registry key not found*

--------------------------------------------------
End of report, 5,681 bytes
Report generated in 0.400 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

 

Dell seems to have their BIOS password-protected:
http://forums.us.dell.com/supportforums/board/message?board.id=latit_bios&message.id=5447

Is that the problem?

Regards,

Pieter