HijackThis Log, Please Review (merged)

Discussion in 'adware, spyware & hijack cleaning' started by stumpy5959, Jun 16, 2004.

Thread Status:
Not open for further replies.
  1. stumpy5959

    stumpy5959 Registered Member

    Joined:
    May 17, 2004
    Posts:
    10
    HijackThis Log, Please Review

    Ran Stinger, Norton, updated Spybot/Adaware, CWshredder. Anything else that you see that needs to be cleaned up or fixed? (Besides upgrading from WinMe of course)

    Thanks!


    Logfile of HijackThis v1.97.7
    Scan saved at 8:27:30 PM, on 6/15/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
    C:\PROGRAM FILES\QUICKENW\QWDLLS.EXE
    C:\PROGRAM FILES\GREETINGS WORKSHOP\GWREMIND.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSTS08.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\SYSTEM\WINOA386.MOD
    C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;127.0.0.1;<local>
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - (no file)
    O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [BELT] C:\WINDOWS\BELT.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
    O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [cnet] "C:\Program Files\Kontiki\bin\kontiki.exe" -s cnet -q
    O4 - Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
    O4 - Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
    O4 - Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\microsoft office\Office\OSA9.EXE
    O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
    O4 - Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
    O4 - Startup: officejet 6100.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
    O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: WeatherBug (HKCU)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
    O16 - DPF: Yahoo! Blackjack - http://download.yahoo.com/games/clients/y/jr3_x.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab
    O16 - DPF: Yahoo! Bingo - http://download.yahoo.com/games/clients/y/xr2_x.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7871.4959837963
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: Yahoo! NFL GameChannel StatTracker - http://aud14.sports.sc5.yahoo.com/java/y/nflgcst1008_x.cab
    O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
     
  2. CalamityJane

    CalamityJane Registered Member

    Joined:
    Sep 29, 2002
    Posts:
    126
    Location:
    Central Florida
    Re: HijackThis Log, Please Review

    Hi stumpy5959

    Please make a new folder to put your HijackThis.exe into. Anywhere on your hard drive is fine other than your Desktop or the Temp folder. We suggest you use C:\Program Files\HijackThis but feel free to use any name or folder you like. Unzip HijackThis again and save the contents (Hijackthis.exe) to the new folder you made. Then navigate to it and run HijackThis from there. This is to ensure it makes the necessary backups for recovery if needed.

    Next, please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an x in the boxes next to these items, then press *fix checked*

    Note: If you did not set this yourself and/or do not use a proxy, checkmark it to be fixed - otherwise, leave it alone
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;127.0.0.1;<local>

    O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - (no file)

    O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - (no file)

    O4 - HKLM\..\Run: [BELT] C:\WINDOWS\BELT.exe
    .............................
    Reboot your PC and delete the following file (if found, a prior cleaning step may have already removed it)

    C:\WINDOWS\BELT.exe

    Now that your PC is clean, make sure all programs are running properly and then you'll need to reset your restore point in Windows XP.......why?

    One of the best features of Windows ME or XP is the System Restore option, however if a malware infects a computer with this operating system it can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after malware removal.

    Win ME
    To disable System Restore:

    1. Right-click My Computer, and then click Properties.
    2. On the Performance tab, click File System, or press ALT+F.
    3. On the Troubleshooting tab, click to select the Disable System Restore check box.
    4. Click OK twice, and then click Yes when you are prompted to restart the computer.
    5. To re-enable System Restore, follow steps 1-3, but in step 3, click to clear the Disable System Restore check box.

    How to Enable and Disable System Restore
    http://support.microsoft.com/default.aspx?scid=kb;en-us;264887

    Next, we highly recommend you get some extra protection to prevent future infections. Here are some things you can do and some free programs to help :).

    Why did I get infected in the first place
    https://www.wilderssecurity.com/showthread.php?t=27971

    And please be sure to visit Windows Update - get ALL the critical security updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.
    http://v4.windowsupdate.microsoft.com/en/default.asp
     
  3. stumpy5959

    stumpy5959 Registered Member

    Joined:
    May 17, 2004
    Posts:
    10
    Re: HijackThis Log, Please Review

    Whenever I remove HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;127.0.0.1;<local>

    and restart, it comes back. There must be something else causing this. See anything else on the log anyone?
     
  4. stumpy5959

    stumpy5959 Registered Member

    Joined:
    May 17, 2004
    Posts:
    10
    Hijack Log - Please help

    I think I'm clean, but can someone look over this log? Thanks!

    Logfile of HijackThis v1.97.7
    Scan saved at 8:00:12 PM, on 6/20/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\PROGRAM FILES\KONTIKI\BIN\KONTIKI.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
    C:\PROGRAM FILES\QUICKENW\QWDLLS.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\GREETINGS WORKSHOP\GWREMIND.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSOL08.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOEVM08.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSTS08.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\DESKTOP\NEW FOLDER\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
    O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [cnet] "C:\Program Files\Kontiki\bin\kontiki.exe" -s cnet -q
    O4 - Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
    O4 - Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
    O4 - Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\microsoft office\Office\OSA9.EXE
    O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
    O4 - Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
    O4 - Startup: officejet 6100.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
    O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: WeatherBug (HKCU)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: Yahoo! Blackjack - http://download.yahoo.com/games/clients/y/jr3_x.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab
    O16 - DPF: Yahoo! Bingo - http://download.yahoo.com/games/clients/y/xr2_x.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37871.4959837963
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: Yahoo! NFL GameChannel StatTracker - http://aud14.sports.sc5.yahoo.com/java/y/nflgcst1008_x.cab
    O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
     
  5. stumpy5959

    stumpy5959 Registered Member

    Joined:
    May 17, 2004
    Posts:
    10
    anyone? please?
     
  6. CalamityJane

    CalamityJane Registered Member

    Joined:
    Sep 29, 2002
    Posts:
    126
    Location:
    Central Florida
    Hi Stumpy,

    Did not see your reply here until just now, sorry.

    Your log looks just fine. Now that your PC is clean, make sure all programs are running properly and then you'll need to reset your restore point in Windows ME.......why?

    One of the best features of Windows ME or XP is the System Restore option, however if a malware infects a computer with this operating system it can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after malware removal.

    To disable System Restore Win ME:

    1. Right-click My Computer, and then click Properties.
    2. On the Performance tab, click File System, or press ALT+F.
    3. On the Troubleshooting tab, click to select the Disable System Restore check box.
    4. Click OK twice, and then click Yes when you are prompted to restart the computer.
    5. To re-enable System Restore, follow steps 1-3, but in step 3, click to clear the Disable System Restore check box.

    How to Enable and Disable System Restore
    http://support.microsoft.com/default.aspx?scid=kb;en-us;264887

    Next, we highly recommend you get some extra protection to prevent future infections. Here are some things you can do and some free programs to help :).

    Why did I get infected in the first place
    https://www.wilderssecurity.com/showthread.php?t=27971

    Stay safe and happy surfing http://members.aol.com/calamitygraphics/surfinjanie.gif
     
Thread Status:
Not open for further replies.