HijackThis

Discussion in 'Trojan Defence Suite' started by stephys, Oct 29, 2003.

Thread Status:
Not open for further replies.
  1. stephys

    stephys Registered Member

    Joined:
    Oct 27, 2003
    Posts:
    15
    Location:
    jacksonville beach florida
    How do i run the scan for highjack this.

    My computer is so full of trojans i need some serious help
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi stephys,

    Welcome at Wilders. :)

    Did TDS-3 not remove these trojans or what exactly is the problem?

    You can post your HijackThis log following these instructions:
    Please go to http://www.tomcoyote.org/hjt/, and download 'Hijack This!'.
    Unzip, doubleclick HijackThis.exe, and hit "Scan".

    When the scan is finished, the "Scan" button will change into a "Save Log" button.
    Press that, save the log as a .txt file, and copy and paste its contents into your next post.

    Most of what it lists will be harmless, so do not fix anything yet.

    Regards,

    Pieter
     
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi stephys,
    welcome in the forum from my part too.

    Make sure you update the TDS database before scanning.
    If you scan with TDS, in the bottom you'll find the alerts.
    rightclick on one of the finds and save as a textfile. This you'll find in the TDS-3 directory as Scandump.txt
    You might like to copy that in your next posting here and we'll try to help you with that too.

    Think your hijackthis scan can give some ideas to start with too.
    So please post them both!
     
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hello stephys, You can also try AutoStart Viewer http://www.diamondcs.com.au/index.php?page=asviewer - which is a free tool.
    This is able to show what programmes Auto start on your PC and the results can be saved as text, a copy of the text posted here may also help us decide if an entry needs to be deleted.

    HTH Pilli
     
  5. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Thanks Stephys: This is what you posted to me: We will see what the forum makes of it :)
    DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for --------------, 10-29-2003
    c:\window\system32\autoexec.nt
    C:\WINDOW\system32\mscdexnt.exe
    C:\WINDOW\system32\redir.exe
    C:\WINDOW\system32\dosx.exe
    c:\window\system32\config.nt
    C:\WINDOW\system32\himem.sys
    c:\window\system.ini [drivers]
    timer=timer.drv
    c:\window\system.ini [boot]\shell
    C:\WINDOW\Explorer.exe
    c:\window\system.ini [boot]\scrnsave.exe
    C:\WINDOW\Webshots.scr
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
    C:\WINDOW\Explorer.exe
    HKCU\Control Panel\Desktop\scrnsave.exe
    C:\WINDOW\Webshots.scr
    HKCR\vbsfile\shell\open\command\
    C:\WINDOW\System32\WScript.exe "%1" %*
    HKCR\vbefile\shell\open\command\
    C:\WINDOW\System32\WScript.exe "%1" %*
    HKCR\jsfile\shell\open\command\
    C:\WINDOW\System32\WScript.exe "%1" %*
    HKCR\jsefile\shell\open\command\
    C:\WINDOW\System32\WScript.exe "%1" %*
    HKCR\wshfile\shell\open\command\
    C:\WINDOW\System32\WScript.exe "%1" %*
    HKCR\wsffile\shell\open\command\
    C:\WINDOW\System32\WScript.exe "%1" %*
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\IgfxTray
    C:\WINDOW\System32\igfxtray.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\HotKeysCmds
    C:\WINDOW\System32\hkcmd.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Lexmark X74-X75
    C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MMTray
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\DwlClient
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AdaptecDirectCD
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\POINTER
    point32.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\sr1exe
    C:\Documents and Settings\All Users.WINDOW\Application Data\Dell\Alert\252\updtSup3.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MediaFace Integration
    C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\BCMSMMSG
    C:\WINDOW\BCMSMMSG.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\QuickTime Task
    C:\Program Files\QuickTime\qttask.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Syscpy
    C:\WINDOW\System32\syscpy.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Power Scan
    C:\Program Files\Power Scan\powerscan.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\85296267.exe
    C:\WINDOW\System32\85296267.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Anti-Trojan-Watch
    C:\Program Files\Anti-Trojan-55\ATWatch.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\RAV8Tray
    C:\Program Files\GeCAD\RAV8 Desktop\ravtray8.exe
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\msnmsgr
    C:\Program Files\MSN Messenger\msnmsgr.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
    C:\WINDOW\system32\SHELL32.dll
    C:\WINDOW\system32\SHELL32.dll
    C:\WINDOW\System32\webcheck.dll
    C:\WINDOW\System32\stobject.dll
    C:\Documents and Settings\Owner.JOEYSROOM\Start Menu\Programs\Startup\Webshots.lnk
    C:\Program Files\Webshots\WebshotsTray.exe
    C:\Documents and Settings\All Users.WINDOW\Start Menu\Programs\Startup\Digital Line Detect.lnk
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Documents and Settings\All Users.WINDOW\Start Menu\Programs\Startup\Modem User Guide.lnk
    C:\Program Files\Modem User Guide\index.htm
    C:\Documents and Settings\All Users.WINDOW\Start Menu\Programs\Startup\ravmon.exe.lnk
    C:\Program Files\GeCAD\RAV8 Desktop\ravmon.exe
    C:\Documents and Settings\All Users.WINDOW\Start Menu\Programs\Startup\ZoneAlarm.lnk
    C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
    autocheck autochk *
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
    C:\WINDOW\system32\userinit.exe
    HKLM\System\CurrentControlSet\Control\WOW\cmdline
    C:\WINDOW\system32\ntvdm.exe
    HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
    C:\WINDOW\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
    C:\WINDOW\system32\mswsock.dll
    C:\WINDOW\system32\rsvpsp.dll
    HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\
    C:\WINDOW\system32\JAVASUP.VXD
     
  6. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Syscpy
    C:\WINDOW\System32\syscpy.exe

    A worm, can you delete the entry and send a copy of the file to submit@diamondcs.com.au please. Zip it up and keep a copy, but delete the file on disk

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\85296267.exe
    C:\WINDOW\System32\85296267.exe

    Suspicious.. best to do the same as above
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi stephsys,

    Could you please keep all the information in this thread?
    You sent several people (different) logs by PM and have gotten different advise because the logs did not correspond.

    Other then what I advised you to do with HijackThis, please click Start Run > msconfig and disable the two entries Gavin advised you to:
    C:\WINDOW\System32\syscpy.exe
    C:\WINDOW\System32\85296267.exe
    and:
    C:\Program Files\Power Scan\powerscan.exe

    Then reboot and delete the entire C:\Program Files\Power Scan folder (spyware), send the files Gavin requested and delete them after doing so.

    TIA,

    Pieter
     
  8. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Didnt receive these files yet, but can confirm the first one - syscpy.exe is fairly common. Its a proxy mail server someone is using to spam a lot :mad:

    Will look at them when I get a copy, hope cleaning these isn't causing any problems.
     
Thread Status:
Not open for further replies.