Hijack this log if someone could have a look?

Discussion in 'adware, spyware & hijack cleaning' started by BlackHawk66, Nov 13, 2003.

Thread Status:
Not open for further replies.
  1. BlackHawk66

    BlackHawk66 Registered Member

    Joined:
    Nov 10, 2003
    Posts:
    33
    Location:
    Great White North
    Hi again.

    Only been here long enough for a couple of posts, but I've learned alot just lurking. :D

    As I said in my first or second post, I've just recently (9, November 2003) reformated and reinstalled windows 98se. After installing SpywareGuard it found this:

    NEW BHO DETECTION ALERT
    On 08:47:08 11/12/2003 a new BHO installation attempt was detected.
    BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    ProgramID: AcroIEHelper.AcroIEHlprObj.1
    File Location: C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    User Action Taken: REMOVE BHO


    I'm not quite sure what yet what a BHO is but, as I didn't ask Adobe for it, I took the above action.

    Coincidentally, the night I installed Adobe (before learning of Spyware Guard) my wife complained that her Slimbrowser was acting up.....badly. Refusing to minimize and generally locking up the system to the point of requiring a manual shutdown. She hasn't tried it since I removed the BHO.

    I personally have started having problems with my preferred browser, Opera 7.2. Mostly "has performed an illegal operation and will now shutdown". This seems to be happening more and more at the same time I'm noticing the computer does not want to shutdown properly.

    Not knowing what I'm looking at in the following log o_O, I can only say that my wife does run Yahoo! Messenger while browsing to notify her of e-mails and keep in touch with friends. She also does a bit of selling on E-bay if that helps explain some of the entries.

    Any help would be much appreciated.

    Logfile of HijackThis v1.97.6
    Scan saved at 10:51:49 AM, on 11/13/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.00 (5.00.2614.3500)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
    C:\PROGRAM FILES\OPERA7\OPERA.EXE
    C:\DOWNLOADEDPROGRAMS\SECURITY\HIJACK THIS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cgi1.ebay.com/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://mail.yahoo.com/
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\Zone Labs\ZoneAlarm\zlclient.exe
    O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
    O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

    [EDITED to take out ebay users account] Unzy
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    About BHO's: http://home01.wxs.nl/~kleyn080/BHO_list.html

    They are not ALL bad. As you can see on that list The Adobe BHO is listed as:
    L {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}: AcroIEhelper.ocx/AcroIEhelper.dll - Adobe Acrobat reader

    The L stands for legitimate, so there was no need to remove it.

    About your problem with Opera: did you see version 7.22 was released?
    http://www.wilderssecurity.com/showthread.php?t=16259

    Your log is short and clean. :)

    Regards,

    Pieter
     
  3. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi BlackHawk,

    Welcome aboard :)

    First you'll have to learn that not all BHO's are bad. A BHO is a Browser Helping Object, used to control certain internet actions. Unfortunately, it's also popular with hijackers, who alter your personal settings and redirect you to malware places.

    Read HERE if you want to know more info

    Your log looks just fine , and the Adobe BHO is necessary if you use acrobat.

    I dunno what your specific problem is related to, but if you feel a lockup is about to happen, open the takmanager and check in the processes tab which of the items listed has a high cpu usage

    Thanks!

    BTW, it's also a good idea to update your Internet Explorer (5.0 is seriously outdated) and probably a bunch of patches at windowsupdate.com

    Cheers,
     
  4. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi Pieter :p
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Unzy,

    Two advises are better then one. At least as long as we agree, and we usually do. ;)

    Regards,

    Pieter
     
  6. BlackHawk66

    BlackHawk66 Registered Member

    Joined:
    Nov 10, 2003
    Posts:
    33
    Location:
    Great White North
    Thanks, Pieter!

    Had heard that Opera 7.22 was out but thought it was not a final release. Perhaps I'll give it a go and maybe change cache size to boot.

    Again, thanks.
     
  7. BlackHawk66

    BlackHawk66 Registered Member

    Joined:
    Nov 10, 2003
    Posts:
    33
    Location:
    Great White North
    Thanks!

    Paranoia strikes again!!!! :D
    Guess I'll be putting that back.

    This sounds incredibly cool and very useful. Can you direct me to an area where I could learn to do this?

    For what? You helped me......now, if this were a woodworking forum...... ;)

    Never use IE, to tell the truth. Haven't since......well 5.0. Just never could stand it.

    Thanks for taking the time to look at my log.

    All the best...
     
  8. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi BlackHawk,

    Here is a great site who has most tasks/processes covered, which appear in your processes list :

    http://www.answersthatwork.com/Tasklist_pages/tasklist.htm

    To view the processes list just do ctrl-alt-del, and check the processes there.

    There's no cpu usage indicator in win98SE though :( but at least you can crosscheck your running tasks through the tasklist.

    I can dig a little further if you want to see if there are some task editors for won98SE who show cpu usage.

    Cheers,
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Unzy,

    Something like this: http://www.wintaskman.de/ ?

    Couldn't find an English version. :(

    Regards,

    Pieter
     
  10. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    EXACTLY like that Pieter :)

    Very late here, i'll try to look for an english version as well, next thing in the morning :thumbsup:

    Thanks!

    Cheers,
     
  11. BlackHawk66

    BlackHawk66 Registered Member

    Joined:
    Nov 10, 2003
    Posts:
    33
    Location:
    Great White North
    Oooooooookay. The cntl/alt/del I know about. Use it when I can't get a program to close......if it hasn't locked up the system too badly.

    Now that you mention task editors, I think I've read about some. Now, if I can only think of where. Appreciate your looking but if it's a bother, don't worry. Gotta do some of the work myself. :)

    Thanks again...
     
Thread Status:
Not open for further replies.