HijackThis

How do i run the scan for highjack this.

My computer is so full of trojans i need some serious help

 

Hi stephys,

Welcome at Wilders.

Did TDS-3 not remove these trojans or what exactly is the problem?

You can post your HijackThis log following these instructions:
Please go to http://www.tomcoyote.org/hjt/, and download 'Hijack This!'.
Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log as a .txt file, and copy and paste its contents into your next post.

Most of what it lists will be harmless, so do not fix anything yet.

Regards,

Pieter

 

Hi stephys,
welcome in the forum from my part too.

Make sure you update the TDS database before scanning.
If you scan with TDS, in the bottom you'll find the alerts.
rightclick on one of the finds and save as a textfile. This you'll find in the TDS-3 directory as Scandump.txt
You might like to copy that in your next posting here and we'll try to help you with that too.

Think your hijackthis scan can give some ideas to start with too.
So please post them both!

 

Hello stephys, You can also try AutoStart Viewer http://www.diamondcs.com.au/index.php?page=asviewer - which is a free tool.
This is able to show what programmes Auto start on your PC and the results can be saved as text, a copy of the text posted here may also help us decide if an entry needs to be deleted.

HTH Pilli

 

Thanks Stephys: This is what you posted to me: We will see what the forum makes of it
DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for --------------, 10-29-2003
c:\window\system32\autoexec.nt
C:\WINDOW\system32\mscdexnt.exe
C:\WINDOW\system32\redir.exe
C:\WINDOW\system32\dosx.exe
c:\window\system32\config.nt
C:\WINDOW\system32\himem.sys
c:\window\system.ini [drivers]
timer=timer.drv
c:\window\system.ini [boot]\shell
C:\WINDOW\Explorer.exe
c:\window\system.ini [boot]\scrnsave.exe
C:\WINDOW\Webshots.scr
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
C:\WINDOW\Explorer.exe
HKCU\Control Panel\Desktop\scrnsave.exe
C:\WINDOW\Webshots.scr
HKCR\vbsfile\shell\open\command\
C:\WINDOW\System32\WScript.exe "%1" %*
HKCR\vbefile\shell\open\command\
C:\WINDOW\System32\WScript.exe "%1" %*
HKCR\jsfile\shell\open\command\
C:\WINDOW\System32\WScript.exe "%1" %*
HKCR\jsefile\shell\open\command\
C:\WINDOW\System32\WScript.exe "%1" %*
HKCR\wshfile\shell\open\command\
C:\WINDOW\System32\WScript.exe "%1" %*
HKCR\wsffile\shell\open\command\
C:\WINDOW\System32\WScript.exe "%1" %*
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\IgfxTray
C:\WINDOW\System32\igfxtray.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\HotKeysCmds
C:\WINDOW\System32\hkcmd.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Lexmark X74-X75
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MMTray
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\DwlClient
C:\Program Files\Common Files\Dell\EUSW\Support.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AdaptecDirectCD
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\POINTER
point32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\sr1exe
C:\Documents and Settings\All Users.WINDOW\Application Data\Dell\Alert\252\updtSup3.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MediaFace Integration
C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\BCMSMMSG
C:\WINDOW\BCMSMMSG.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\QuickTime Task
C:\Program Files\QuickTime\qttask.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Syscpy
C:\WINDOW\System32\syscpy.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Power Scan
C:\Program Files\Power Scan\powerscan.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\85296267.exe
C:\WINDOW\System32\85296267.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Anti-Trojan-Watch
C:\Program Files\Anti-Trojan-55\ATWatch.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\RAV8Tray
C:\Program Files\GeCAD\RAV8 Desktop\ravtray8.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\msnmsgr
C:\Program Files\MSN Messenger\msnmsgr.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
C:\WINDOW\system32\SHELL32.dll
C:\WINDOW\system32\SHELL32.dll
C:\WINDOW\System32\webcheck.dll
C:\WINDOW\System32\stobject.dll
C:\Documents and Settings\Owner.JOEYSROOM\Start Menu\Programs\Startup\Webshots.lnk
C:\Program Files\Webshots\WebshotsTray.exe
C:\Documents and Settings\All Users.WINDOW\Start Menu\Programs\Startup\Digital Line Detect.lnk
C:\Program Files\Digital Line Detect\DLG.exe
C:\Documents and Settings\All Users.WINDOW\Start Menu\Programs\Startup\Modem User Guide.lnk
C:\Program Files\Modem User Guide\index.htm
C:\Documents and Settings\All Users.WINDOW\Start Menu\Programs\Startup\ravmon.exe.lnk
C:\Program Files\GeCAD\RAV8 Desktop\ravmon.exe
C:\Documents and Settings\All Users.WINDOW\Start Menu\Programs\Startup\ZoneAlarm.lnk
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
autocheck autochk *
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
C:\WINDOW\system32\userinit.exe
HKLM\System\CurrentControlSet\Control\WOW\cmdline
C:\WINDOW\system32\ntvdm.exe
HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
C:\WINDOW\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
C:\WINDOW\system32\mswsock.dll
C:\WINDOW\system32\rsvpsp.dll
HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\
C:\WINDOW\system32\JAVASUP.VXD

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Syscpy
C:\WINDOW\System32\syscpy.exe

A worm, can you delete the entry and send a copy of the file to submit@diamondcs.com.au please. Zip it up and keep a copy, but delete the file on disk

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\85296267.exe
C:\WINDOW\System32\85296267.exe

Suspicious.. best to do the same as above

 

Hi stephsys,

Could you please keep all the information in this thread?
You sent several people (different) logs by PM and have gotten different advise because the logs did not correspond.

Other then what I advised you to do with HijackThis, please click Start Run > msconfig and disable the two entries Gavin advised you to:
C:\WINDOW\System32\syscpy.exe
C:\WINDOW\System32\85296267.exe
and:
C:\Program Files\Power Scan\powerscan.exe

Then reboot and delete the entire C:\Program Files\Power Scan folder (spyware), send the files Gavin requested and delete them after doing so.

TIA,

Pieter

 

Didnt receive these files yet, but can confirm the first one - syscpy.exe is fairly common. Its a proxy mail server someone is using to spam a lot

Will look at them when I get a copy, hope cleaning these isn't causing any problems.