Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Hijack-This Log - help!

Posted on 2004-08-01
8
Medium Priority
?
478 Views
Last Modified: 2010-04-11
I've run Spybot and AdAware a few times (they are completely updated).  Checked for problems, fixed them, and immunized.

I went through HiJack this once before, and took out stuff I knew to be obvious (e.g. Clearsearch junk, STCLoader, etc.), and searched on here for the rest.

I thought I had it licked.  Nope, it seems like a lot of stuff loaded itself back up, and when I turn it on something like 20 processes start-up.  The only way to get out of it is to use Task Manager to shut them down one by one.

Admittedly, I have brought most of this on myself by using Kazaa etc, on the infected computer in question.  Luckily, its just a spare computer in the house, but I would like to be able to use it from time to time.

Anyway here's the most recent log, hope someone can help.
------------------------------------
Logfile of HijackThis v1.97.7
Scan saved at 6:52:06 PM, on 8/1/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NETWORK ICE\BLACKICE\BLACKD.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\WEBSCANX.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\GOIDR.EXE
C:\PROGRAM FILES\COMMON FILES\SLMSS\SLMSS.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.search-exe.com/nph-search.cgi?tcode=exebar1&look=sbar1_srchbtn
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.search-exe.com/nph-search.cgi?tcode=exebar1&look=sbar1_srchbtn
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\TV MEDIA\TvmBho.dll (file missing)
F1 - win.ini: load=HPWHRC.EXE
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\NEM219.DLL (file missing)
O2 - BHO: (no name) - {2673A080-E143-11D8-924B-009027167897} - C:\WINDOWS\SYSTEM\LSYVB.DLL
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\PROGRAM FILES\SYSAI\APROPOSPLUGIN.DLL (file missing)
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\SYSTEM\ATPART~1.DLL
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - C:\PROGRAM FILES\404SEARCH\404SEARCH.DLL (file missing)
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - {00041A26-7033-432C-94C7-6371DE343822} - C:\PROGRAM FILES\SE\V11\SE.DLL (file missing)
O2 - BHO: Recommended Hotfix - {0421701D-CF13-4E70-ADF0-45A953E7CB8B} - C:\PROGRAM FILES\RECOMMENDED HOTFIX - 421701D\V15\RH.DLL
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [0wtj] C:\WINDOWS\TEMP\0WTJ.EXE
O4 - HKLM\..\Run: [35RJAFJ237MH#N] C:\WINDOWS\SYSTEM\Wdi7.exe
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [goidr] C:\WINDOWS\goidr.exe
O4 - HKLM\..\Run: [lsyvbc] C:\WINDOWS\SYSTEM\lsyvbc.exe
O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\SYSTEM\stcloader.exe
O4 - HKLM\..\Run: [ClrSchLoader] \Progra~1\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe
O4 - HKLM\..\Run: [rs2T36Q] DX7RAMP.EXE
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [DownloadWare] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [Search-Exe] "C:\PROGRAM FILES\SE\V11\SE.EXE" /H
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [LoadBlackD] C:\Program Files\Network ICE\BlackICE\blackd.exe
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
O4 - HKCU\..\Run: [aBt3RWcnS] ROBMAINT.EXE
O4 - HKLM\..\RunOnce: [TV Media] C:\TV MEDIA\TVM.EXE
O4 - HKCU\..\RunOnce: [TV Media] C:\TV MEDIA\TVM.EXE
O4 - Startup: BlackICE Utility.lnk = C:\Program Files\Network ICE\BlackICE\blackice.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://www.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB


0
Comment
Question by:vingold
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 5

Accepted Solution

by:
AshuraKnight earned 250 total points
ID: 11690623
Read this :

http://crazyone.tekmasters.com/malwaretools.html

from CrazyOne homepage :)
0
 

Expert Comment

by:kkrazyykkidd
ID: 11693371
Hey, just want to give you something to try:

Click start, click Run, and type "msconfig".
Click the startup tab
Uncheck all that you dont want to startup

hope this helps.. kkrazyykkidd
0
 

Expert Comment

by:plit
ID: 11693383
I'd suggest just format and install Windows on clean disk. And make a mark on it - "do not run programms i dont trust"

Formatting - reinstalling might be a bit complicated, but it should save nerves and might be even time.
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

 

Expert Comment

by:kkrazyykkidd
ID: 11693415
O4 - HKLM\..\Run: [ClrSchLoader] \Progra~1\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
O4 - HKCU\..\Run: [aBt3RWcnS] ROBMAINT.EXE
O4 - HKLM\..\RunOnce: [TV Media] C:\TV MEDIA\TVM.EXE
O4 - HKCU\..\RunOnce: [TV Media] C:\TV MEDIA\TVM.EXE
O4 - HKLM\..\Run: [DownloadWare] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [Search-Exe] "C:\PROGRAM FILES\SE\V11\SE.EXE" /H
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [goidr] C:\WINDOWS\goidr.exe
O4 - HKLM\..\Run: [0wtj] C:\WINDOWS\TEMP\0WTJ.EXE
2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - C:\PROGRAM FILES\404SEARCH\404SEARCH.DLL (file missing)

Get rid of what you dont need from here...

Apparently: O4 - HKLM\..\Run: [goidr] C:\WINDOWS\goidr.exe is a virus if you go here:

http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=126656
0
 

Author Comment

by:vingold
ID: 11694721
I guess it is tricky here on EE, sometimes a poster wants to be fed the fish, and sometimes we want to be taught how to fish (or at least shown where the pond is).  I know when I post questions regarding databases, ASP, etc.  I want to be shown how to fish.

When I posted this question, I wanted to be fed a fish.  I don't want to be a spyware expert, my knowledge of Spyware is already far more than I would have originally wanted.  If it was up to me, it would be illegal, and would carry with it bigger penalties than spam.  But that is a rant for another day.

What I wanted, is a response to this question similar to responses I've seen elsewhere on EE regarding a HiJack-This log.  I wanted someone to tell me what to check off and fix, so I could get on with my workday.  This is very similar to what KkrazyyKidd did.

However, I also want to be fair in awarding the points, and it was Ashura's response that led me down the path to where the pond was (though I did have to do a few more google searches to find all of the fish).

Therefore I am accepting Ashura's answer, as brief as it was.

In addition to the link from Ashura provided above, I also found these to be helpful:

http://www.creightonbrown.geek.nz/content/ideas_tweaks.asp   <---- this was very helpful in locating and removing the TVM.exe entries from the registry.  Apparently TVM.exe runs every few moments to make sure it is loaded.  I ran HiJack-This 4 times, checking off the TVM.exe entries each time.  And every time it had reloaded itself.  Pesky little SOB.

I also used:  http://www.sysinfo.org/startuplist.php  to help me determine what should be getting loaded.  There was a handful of entries I couldn't find, I figured if it wasn't in the list it shouldn't be loaded and I got rid of it.

Thanks to all that helped!
- Vinny

BTW - if anyone want to comment on how I decided to award these points, please do.  You can reach me on AOL at vingold.
0
 
LVL 5

Expert Comment

by:AshuraKnight
ID: 11694777
Lol sorry vinny.
I thought every1 like being taught how to fish :P
So later on you can also answer someone else question and become an "expert"
Notice it's in quotes, because I think no1 can become an expert on specific field because there's other guy out there whom might know better :)
And thanks for the point :P
0
 

Author Comment

by:vingold
ID: 11695514
Ashura,

Not a problem :-)

Thanks again for your help.

- Vinny
0

Featured Post

WatchGuard Case Study: Museum of Flight

“With limited money and limited staffing, we didn’t have a lot of choices in terms of what we could do to bring efficiency. WatchGuard played a central part in changing that.” To provide strong, secure Wi-Fi access within the museum, Hunter chose to deploy WatchGuard’s AP120 APs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

An overview of cyber security, cyber crime, and personal protection against hackers. Includes a brief summary of the Equifax breach and why everyone should be aware of it. Other subjects include: how cyber security has failed to advance with technol…
Let's take a look into the basics of ransomware—how it spreads, how it can hurt us, and why a disaster recovery plan is important.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

963 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question