Solved

Hijack-This Log - help!

Posted on 2004-08-01
8
471 Views
Last Modified: 2010-04-11
I've run Spybot and AdAware a few times (they are completely updated).  Checked for problems, fixed them, and immunized.

I went through HiJack this once before, and took out stuff I knew to be obvious (e.g. Clearsearch junk, STCLoader, etc.), and searched on here for the rest.

I thought I had it licked.  Nope, it seems like a lot of stuff loaded itself back up, and when I turn it on something like 20 processes start-up.  The only way to get out of it is to use Task Manager to shut them down one by one.

Admittedly, I have brought most of this on myself by using Kazaa etc, on the infected computer in question.  Luckily, its just a spare computer in the house, but I would like to be able to use it from time to time.

Anyway here's the most recent log, hope someone can help.
------------------------------------
Logfile of HijackThis v1.97.7
Scan saved at 6:52:06 PM, on 8/1/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NETWORK ICE\BLACKICE\BLACKD.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\WEBSCANX.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\GOIDR.EXE
C:\PROGRAM FILES\COMMON FILES\SLMSS\SLMSS.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.search-exe.com/nph-search.cgi?tcode=exebar1&look=sbar1_srchbtn
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.search-exe.com/nph-search.cgi?tcode=exebar1&look=sbar1_srchbtn
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\TV MEDIA\TvmBho.dll (file missing)
F1 - win.ini: load=HPWHRC.EXE
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\NEM219.DLL (file missing)
O2 - BHO: (no name) - {2673A080-E143-11D8-924B-009027167897} - C:\WINDOWS\SYSTEM\LSYVB.DLL
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\PROGRAM FILES\SYSAI\APROPOSPLUGIN.DLL (file missing)
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\SYSTEM\ATPART~1.DLL
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - C:\PROGRAM FILES\404SEARCH\404SEARCH.DLL (file missing)
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - {00041A26-7033-432C-94C7-6371DE343822} - C:\PROGRAM FILES\SE\V11\SE.DLL (file missing)
O2 - BHO: Recommended Hotfix - {0421701D-CF13-4E70-ADF0-45A953E7CB8B} - C:\PROGRAM FILES\RECOMMENDED HOTFIX - 421701D\V15\RH.DLL
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [0wtj] C:\WINDOWS\TEMP\0WTJ.EXE
O4 - HKLM\..\Run: [35RJAFJ237MH#N] C:\WINDOWS\SYSTEM\Wdi7.exe
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [goidr] C:\WINDOWS\goidr.exe
O4 - HKLM\..\Run: [lsyvbc] C:\WINDOWS\SYSTEM\lsyvbc.exe
O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\SYSTEM\stcloader.exe
O4 - HKLM\..\Run: [ClrSchLoader] \Progra~1\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe
O4 - HKLM\..\Run: [rs2T36Q] DX7RAMP.EXE
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [DownloadWare] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [Search-Exe] "C:\PROGRAM FILES\SE\V11\SE.EXE" /H
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [LoadBlackD] C:\Program Files\Network ICE\BlackICE\blackd.exe
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
O4 - HKCU\..\Run: [aBt3RWcnS] ROBMAINT.EXE
O4 - HKLM\..\RunOnce: [TV Media] C:\TV MEDIA\TVM.EXE
O4 - HKCU\..\RunOnce: [TV Media] C:\TV MEDIA\TVM.EXE
O4 - Startup: BlackICE Utility.lnk = C:\Program Files\Network ICE\BlackICE\blackice.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://www.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB


0
Comment
Question by:vingold
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 5

Accepted Solution

by:
AshuraKnight earned 125 total points
ID: 11690623
Read this :

http://crazyone.tekmasters.com/malwaretools.html

from CrazyOne homepage :)
0
 

Expert Comment

by:kkrazyykkidd
ID: 11693371
Hey, just want to give you something to try:

Click start, click Run, and type "msconfig".
Click the startup tab
Uncheck all that you dont want to startup

hope this helps.. kkrazyykkidd
0
 

Expert Comment

by:plit
ID: 11693383
I'd suggest just format and install Windows on clean disk. And make a mark on it - "do not run programms i dont trust"

Formatting - reinstalling might be a bit complicated, but it should save nerves and might be even time.
0
How to Defend Against the WCry Ransomware Attack

On May 12, 2017, an extremely virulent ransomware variant named WCry 2.0 began to infect organizations. Within several hours, over 75,000 victims were reported in 90+ countries. Learn more from our research team about this threat & how to protect your organization!

 

Expert Comment

by:kkrazyykkidd
ID: 11693415
O4 - HKLM\..\Run: [ClrSchLoader] \Progra~1\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
O4 - HKCU\..\Run: [aBt3RWcnS] ROBMAINT.EXE
O4 - HKLM\..\RunOnce: [TV Media] C:\TV MEDIA\TVM.EXE
O4 - HKCU\..\RunOnce: [TV Media] C:\TV MEDIA\TVM.EXE
O4 - HKLM\..\Run: [DownloadWare] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [Search-Exe] "C:\PROGRAM FILES\SE\V11\SE.EXE" /H
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [goidr] C:\WINDOWS\goidr.exe
O4 - HKLM\..\Run: [0wtj] C:\WINDOWS\TEMP\0WTJ.EXE
2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - C:\PROGRAM FILES\404SEARCH\404SEARCH.DLL (file missing)

Get rid of what you dont need from here...

Apparently: O4 - HKLM\..\Run: [goidr] C:\WINDOWS\goidr.exe is a virus if you go here:

http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=126656
0
 

Expert Comment

by:kkrazyykkidd
ID: 11693444
0
 

Author Comment

by:vingold
ID: 11694721
I guess it is tricky here on EE, sometimes a poster wants to be fed the fish, and sometimes we want to be taught how to fish (or at least shown where the pond is).  I know when I post questions regarding databases, ASP, etc.  I want to be shown how to fish.

When I posted this question, I wanted to be fed a fish.  I don't want to be a spyware expert, my knowledge of Spyware is already far more than I would have originally wanted.  If it was up to me, it would be illegal, and would carry with it bigger penalties than spam.  But that is a rant for another day.

What I wanted, is a response to this question similar to responses I've seen elsewhere on EE regarding a HiJack-This log.  I wanted someone to tell me what to check off and fix, so I could get on with my workday.  This is very similar to what KkrazyyKidd did.

However, I also want to be fair in awarding the points, and it was Ashura's response that led me down the path to where the pond was (though I did have to do a few more google searches to find all of the fish).

Therefore I am accepting Ashura's answer, as brief as it was.

In addition to the link from Ashura provided above, I also found these to be helpful:

http://www.creightonbrown.geek.nz/content/ideas_tweaks.asp   <---- this was very helpful in locating and removing the TVM.exe entries from the registry.  Apparently TVM.exe runs every few moments to make sure it is loaded.  I ran HiJack-This 4 times, checking off the TVM.exe entries each time.  And every time it had reloaded itself.  Pesky little SOB.

I also used:  http://www.sysinfo.org/startuplist.php  to help me determine what should be getting loaded.  There was a handful of entries I couldn't find, I figured if it wasn't in the list it shouldn't be loaded and I got rid of it.

Thanks to all that helped!
- Vinny

BTW - if anyone want to comment on how I decided to award these points, please do.  You can reach me on AOL at vingold.
0
 
LVL 5

Expert Comment

by:AshuraKnight
ID: 11694777
Lol sorry vinny.
I thought every1 like being taught how to fish :P
So later on you can also answer someone else question and become an "expert"
Notice it's in quotes, because I think no1 can become an expert on specific field because there's other guy out there whom might know better :)
And thanks for the point :P
0
 

Author Comment

by:vingold
ID: 11695514
Ashura,

Not a problem :-)

Thanks again for your help.

- Vinny
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How to secure access to a folder on windows server 2008 R2 6 123
Security Event Log - 4625 11 56
Application of a group policy 11 72
WSUS - Updates Approval 2 35
Ransomware is a malware that is again in the list of security  concerns. Not only for companies, but also for Government security and  even at personal use. IT departments should be aware and have the right  knowledge to how to fight it.
No single Antivirus application (despite claims by manufacturers) will catch or protect you from all Virus / Malware or Spyware threats. That doesn't stop you from further protecting yourself however - and this article is to show you how.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question