Hijack This log help

Discussion in 'adware, spyware & hijack cleaning' started by pobox14, May 27, 2004.

Thread Status:
Not open for further replies.
  1. pobox14

    pobox14 Registered Member

    Joined:
    May 27, 2004
    Posts:
    4
    I have run Ad-aware and then ran HiJack This. Here is the log ... Any help would be much appreciated. I'm running Win 2000 pro and have removed a bunch of bugs from this machine. (Backdoor and such).

    Thank you, :)

    pobox14

    Logfile of HijackThis v1.97.7
    Scan saved at 12:19:12 PM, on 5/27/2004
    Platform: Windows 2000 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.00 (5.00.2920.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
    C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
    C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    C:\WINNT\Explorer.exe
    C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINNT\System32\wuauclt.exe
    C:\WINNT\system32\monitorbk.exe
    C:\Documents and Settings\Hal O. Finney\My Documents\BILL\Hank\HijackThis.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = wsxx(<!t`h)bcdw vd0t"`f~
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = wsxx(<!t`h)bcdw vd0t"`f~
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.finneycorp.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = wsxx(<!t`h)bcdw vd0t"`f~
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = wsxx(<!t`h)bcdw vd0t"`f~
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = wsxx(<!t`h)bcdw vd0t"`f~
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = wsxx(<!t`h)bcdw vd0t"`f~
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = wsxx(<!t`h)bcdw vd0t"`f~
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = wsxx(<!t`h)bcdw vd0t"`f~
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
    O4 - HKLM\..\Run: [MSConfig] C:\WINNT\system32\msconfig.exe /auto
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /firstlogon
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) - http://www.meadroid.com/scriptx/ScriptX.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38030.6437037037
    O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://12.158.143.133/viewer/activeXViewer/activexviewer.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E7C44C86-0CD3-11D2-9311-00A0247A4E65} (J Walk ActiveX Client Control) - http://www.regalcorp.com/regalcorp/regallink/JWalkX/JWalkX.cab
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi pobox14,

    Looks good to me but the R1 entries look a bit funny to me (might be a language problem)

    Regards,

    Pieter
     
  3. pobox14

    pobox14 Registered Member

    Joined:
    May 27, 2004
    Posts:
    4
    Pieter,

    Thank you for checking. Any suggestions on the R1 entries?

    Background ... in case you have any thoughts: Took all the viruses off, fixed a registry issue, now get:

    "Cannot find the file 'rundll32.exe' (or one of its components). Make sure the path and filename are correct and that all required libraries are available." error and also:

    "This Internet Shortcut cannot be opened because failed to run".

    If you have any thoughts or suggestions ... I would be grateful.

    pobox14
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    They look pretty much useless, so if you don't know where they came from either.

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = wsxx(<!t`h)bcdw vd0t"`f~
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = wsxx(<!t`h)bcdw vd0t"`f~

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = wsxx(<!t`h)bcdw vd0t"`f~
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = wsxx(<!t`h)bcdw vd0t"`f~
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = wsxx(<!t`h)bcdw vd0t"`f~
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = wsxx(<!t`h)bcdw vd0t"`f~
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = wsxx(<!t`h)bcdw vd0t"`f~
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = wsxx(<!t`h)bcdw vd0t"`f~

    Then reboot and install IE6 SP1 from here:
    http://www.microsoft.com/windows/ie/downloads/critical/ie6sp1/default.asp
    (Select the correct language in the dropdownbox) and install all the updates issued after SP1.

    Regards,

    Pieter
     
  5. pobox14

    pobox14 Registered Member

    Joined:
    May 27, 2004
    Posts:
    4
    Pieter,

    Did as instructed above and it all went thru OK. But, I'm still getting the errors. Any other thoughts?? I believe I'm going to back up the files and reformat, but I wanted to see if you might have another way to go.

    Thanks,
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    In HijackThis click Config > Misc Tools > Generate Startuplist
    That will produce a text file. If I can't find it in there I'll give it up.

    Regards,

    Pieter
     
  7. pobox14

    pobox14 Registered Member

    Joined:
    May 27, 2004
    Posts:
    4
    OK, here it is. Let me know your thoughts. I'm about to reformat ... but I may need your help with that. I can't seem to figure out how to get into bios. I'm on a DELL.

    Here is the startuplist:

    StartupList report, 6/3/2004, 4:09:44 PM
    StartupList version: 1.52
    Started from : C:\Documents and Settings\Hal O. Finney\My Documents\Fix bill\HijackThis.EXE
    Detected: Windows 2000 (WinNT 5.00.2195)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
    C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
    C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    C:\WINNT\Explorer.exe
    C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
    C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Common Files\efax\HotTray.exe
    C:\WINNT\System32\MsiExec.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Documents and Settings\Hal O. Finney\My Documents\Fix bill\HijackThis.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    Live Menu.lnk = C:\Program Files\Common Files\efax\Dllcmd32.exe
    eFax.com Tray Menu.lnk = C:\Program Files\Common Files\efax\HotTray.exe
    Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINNT\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    McAfee Guardian = "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
    Synchronization Manager = mobsync.exe /logon
    SchedulingAgent = mstinit.exe /firstlogon
    LoadQM = loadqm.exe
    Alogserv = C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    msnmsgr = "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    McAfee.InstantUpdate.Monitor = "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor

    --------------------------------------------------

    Shell & screensaver key from C:\WINNT\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=C:\WINNT\system32\ssmarque.scr
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry key not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------


    Enumerating Download Program Files:

    [MeadCo ScriptX]
    InProcServer32 = C:\WINNT\System32\MCScripX.dll
    CODEBASE = http://www.meadroid.com/scriptx/ScriptX.cab
    OSD = C:\WINNT\Downloaded Program Files\ScriptX.osd

    [Shockwave ActiveX Control]
    InProcServer32 = C:\WINNT\System32\macromed\Shockwave 10\Download.dll
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

    [Update Class]
    InProcServer32 = C:\WINNT\System32\iuctl.dll
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38030.6437037037

    [Crystal Report Viewer Control]
    InProcServer32 = C:\WINNT\Downloaded Program Files\CRViewer.dll
    CODEBASE = http://12.158.143.133/viewer/activeXViewer/activexviewer.cab

    [Shockwave Flash Object]
    InProcServer32 = C:\WINNT\System32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    [J Walk ActiveX Client Control]
    InProcServer32 = C:\WINNT\DOWNLO~1\JWalkX.ocx
    CODEBASE = http://www.regalcorp.com/regalcorp/regallink/JWalkX/JWalkX.cab

    --------------------------------------------------

    Enumerating Windows NT logon/logoff scripts:
    *No scripts set to run*

    Windows NT checkdisk command:
    BootExecute = autocheck autochk *

    Windows NT 'Wininit.ini':
    PendingFileRenameOperations: C:\Config.Msi\696ec.rbf||C:\Config.Msi\696ee.rbf||C:\Config.Msi\696f3.rbf|||s

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
    SysTray: stobject.dll
    WebCheck: C:\WINNT\System32\webcheck.dll
    : *Registry key not found*

    --------------------------------------------------
    End of report, 5,681 bytes
    Report generated in 0.400 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
Thread Status:
Not open for further replies.