Solved

Hijack-This Log - help!

Posted on 2004-08-01
8
469 Views
Last Modified: 2010-04-11
I've run Spybot and AdAware a few times (they are completely updated).  Checked for problems, fixed them, and immunized.

I went through HiJack this once before, and took out stuff I knew to be obvious (e.g. Clearsearch junk, STCLoader, etc.), and searched on here for the rest.

I thought I had it licked.  Nope, it seems like a lot of stuff loaded itself back up, and when I turn it on something like 20 processes start-up.  The only way to get out of it is to use Task Manager to shut them down one by one.

Admittedly, I have brought most of this on myself by using Kazaa etc, on the infected computer in question.  Luckily, its just a spare computer in the house, but I would like to be able to use it from time to time.

Anyway here's the most recent log, hope someone can help.
------------------------------------
Logfile of HijackThis v1.97.7
Scan saved at 6:52:06 PM, on 8/1/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NETWORK ICE\BLACKICE\BLACKD.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\WEBSCANX.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\GOIDR.EXE
C:\PROGRAM FILES\COMMON FILES\SLMSS\SLMSS.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.search-exe.com/nph-search.cgi?tcode=exebar1&look=sbar1_srchbtn
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.search-exe.com/nph-search.cgi?tcode=exebar1&look=sbar1_srchbtn
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\TV MEDIA\TvmBho.dll (file missing)
F1 - win.ini: load=HPWHRC.EXE
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\NEM219.DLL (file missing)
O2 - BHO: (no name) - {2673A080-E143-11D8-924B-009027167897} - C:\WINDOWS\SYSTEM\LSYVB.DLL
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\PROGRAM FILES\SYSAI\APROPOSPLUGIN.DLL (file missing)
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\SYSTEM\ATPART~1.DLL
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - C:\PROGRAM FILES\404SEARCH\404SEARCH.DLL (file missing)
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - {00041A26-7033-432C-94C7-6371DE343822} - C:\PROGRAM FILES\SE\V11\SE.DLL (file missing)
O2 - BHO: Recommended Hotfix - {0421701D-CF13-4E70-ADF0-45A953E7CB8B} - C:\PROGRAM FILES\RECOMMENDED HOTFIX - 421701D\V15\RH.DLL
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [0wtj] C:\WINDOWS\TEMP\0WTJ.EXE
O4 - HKLM\..\Run: [35RJAFJ237MH#N] C:\WINDOWS\SYSTEM\Wdi7.exe
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [goidr] C:\WINDOWS\goidr.exe
O4 - HKLM\..\Run: [lsyvbc] C:\WINDOWS\SYSTEM\lsyvbc.exe
O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\SYSTEM\stcloader.exe
O4 - HKLM\..\Run: [ClrSchLoader] \Progra~1\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe
O4 - HKLM\..\Run: [rs2T36Q] DX7RAMP.EXE
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [DownloadWare] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [Search-Exe] "C:\PROGRAM FILES\SE\V11\SE.EXE" /H
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [LoadBlackD] C:\Program Files\Network ICE\BlackICE\blackd.exe
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
O4 - HKCU\..\Run: [aBt3RWcnS] ROBMAINT.EXE
O4 - HKLM\..\RunOnce: [TV Media] C:\TV MEDIA\TVM.EXE
O4 - HKCU\..\RunOnce: [TV Media] C:\TV MEDIA\TVM.EXE
O4 - Startup: BlackICE Utility.lnk = C:\Program Files\Network ICE\BlackICE\blackice.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://www.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB


0
Comment
Question by:vingold
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 5

Accepted Solution

by:
AshuraKnight earned 125 total points
ID: 11690623
Read this :

http://crazyone.tekmasters.com/malwaretools.html

from CrazyOne homepage :)
0
 

Expert Comment

by:kkrazyykkidd
ID: 11693371
Hey, just want to give you something to try:

Click start, click Run, and type "msconfig".
Click the startup tab
Uncheck all that you dont want to startup

hope this helps.. kkrazyykkidd
0
 

Expert Comment

by:plit
ID: 11693383
I'd suggest just format and install Windows on clean disk. And make a mark on it - "do not run programms i dont trust"

Formatting - reinstalling might be a bit complicated, but it should save nerves and might be even time.
0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 

Expert Comment

by:kkrazyykkidd
ID: 11693415
O4 - HKLM\..\Run: [ClrSchLoader] \Progra~1\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
O4 - HKCU\..\Run: [aBt3RWcnS] ROBMAINT.EXE
O4 - HKLM\..\RunOnce: [TV Media] C:\TV MEDIA\TVM.EXE
O4 - HKCU\..\RunOnce: [TV Media] C:\TV MEDIA\TVM.EXE
O4 - HKLM\..\Run: [DownloadWare] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [Search-Exe] "C:\PROGRAM FILES\SE\V11\SE.EXE" /H
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [goidr] C:\WINDOWS\goidr.exe
O4 - HKLM\..\Run: [0wtj] C:\WINDOWS\TEMP\0WTJ.EXE
2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - C:\PROGRAM FILES\404SEARCH\404SEARCH.DLL (file missing)

Get rid of what you dont need from here...

Apparently: O4 - HKLM\..\Run: [goidr] C:\WINDOWS\goidr.exe is a virus if you go here:

http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=126656
0
 

Expert Comment

by:kkrazyykkidd
ID: 11693444
0
 

Author Comment

by:vingold
ID: 11694721
I guess it is tricky here on EE, sometimes a poster wants to be fed the fish, and sometimes we want to be taught how to fish (or at least shown where the pond is).  I know when I post questions regarding databases, ASP, etc.  I want to be shown how to fish.

When I posted this question, I wanted to be fed a fish.  I don't want to be a spyware expert, my knowledge of Spyware is already far more than I would have originally wanted.  If it was up to me, it would be illegal, and would carry with it bigger penalties than spam.  But that is a rant for another day.

What I wanted, is a response to this question similar to responses I've seen elsewhere on EE regarding a HiJack-This log.  I wanted someone to tell me what to check off and fix, so I could get on with my workday.  This is very similar to what KkrazyyKidd did.

However, I also want to be fair in awarding the points, and it was Ashura's response that led me down the path to where the pond was (though I did have to do a few more google searches to find all of the fish).

Therefore I am accepting Ashura's answer, as brief as it was.

In addition to the link from Ashura provided above, I also found these to be helpful:

http://www.creightonbrown.geek.nz/content/ideas_tweaks.asp   <---- this was very helpful in locating and removing the TVM.exe entries from the registry.  Apparently TVM.exe runs every few moments to make sure it is loaded.  I ran HiJack-This 4 times, checking off the TVM.exe entries each time.  And every time it had reloaded itself.  Pesky little SOB.

I also used:  http://www.sysinfo.org/startuplist.php  to help me determine what should be getting loaded.  There was a handful of entries I couldn't find, I figured if it wasn't in the list it shouldn't be loaded and I got rid of it.

Thanks to all that helped!
- Vinny

BTW - if anyone want to comment on how I decided to award these points, please do.  You can reach me on AOL at vingold.
0
 
LVL 5

Expert Comment

by:AshuraKnight
ID: 11694777
Lol sorry vinny.
I thought every1 like being taught how to fish :P
So later on you can also answer someone else question and become an "expert"
Notice it's in quotes, because I think no1 can become an expert on specific field because there's other guy out there whom might know better :)
And thanks for the point :P
0
 

Author Comment

by:vingold
ID: 11695514
Ashura,

Not a problem :-)

Thanks again for your help.

- Vinny
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
Many businesses neglect disaster recovery and treat it as an after-thought. I can tell you first hand that data will be lost, hard drives die, servers will be hacked, and careless (or malicious) employees can ruin your data.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question