Solved

Hijack-This Log - help!

Posted on 2004-08-01
8
473 Views
Last Modified: 2010-04-11
I've run Spybot and AdAware a few times (they are completely updated).  Checked for problems, fixed them, and immunized.

I went through HiJack this once before, and took out stuff I knew to be obvious (e.g. Clearsearch junk, STCLoader, etc.), and searched on here for the rest.

I thought I had it licked.  Nope, it seems like a lot of stuff loaded itself back up, and when I turn it on something like 20 processes start-up.  The only way to get out of it is to use Task Manager to shut them down one by one.

Admittedly, I have brought most of this on myself by using Kazaa etc, on the infected computer in question.  Luckily, its just a spare computer in the house, but I would like to be able to use it from time to time.

Anyway here's the most recent log, hope someone can help.
------------------------------------
Logfile of HijackThis v1.97.7
Scan saved at 6:52:06 PM, on 8/1/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NETWORK ICE\BLACKICE\BLACKD.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\WEBSCANX.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\GOIDR.EXE
C:\PROGRAM FILES\COMMON FILES\SLMSS\SLMSS.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.search-exe.com/nph-search.cgi?tcode=exebar1&look=sbar1_srchbtn
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.search-exe.com/nph-search.cgi?tcode=exebar1&look=sbar1_srchbtn
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\TV MEDIA\TvmBho.dll (file missing)
F1 - win.ini: load=HPWHRC.EXE
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\NEM219.DLL (file missing)
O2 - BHO: (no name) - {2673A080-E143-11D8-924B-009027167897} - C:\WINDOWS\SYSTEM\LSYVB.DLL
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\PROGRAM FILES\SYSAI\APROPOSPLUGIN.DLL (file missing)
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\SYSTEM\ATPART~1.DLL
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - C:\PROGRAM FILES\404SEARCH\404SEARCH.DLL (file missing)
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - {00041A26-7033-432C-94C7-6371DE343822} - C:\PROGRAM FILES\SE\V11\SE.DLL (file missing)
O2 - BHO: Recommended Hotfix - {0421701D-CF13-4E70-ADF0-45A953E7CB8B} - C:\PROGRAM FILES\RECOMMENDED HOTFIX - 421701D\V15\RH.DLL
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [0wtj] C:\WINDOWS\TEMP\0WTJ.EXE
O4 - HKLM\..\Run: [35RJAFJ237MH#N] C:\WINDOWS\SYSTEM\Wdi7.exe
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [goidr] C:\WINDOWS\goidr.exe
O4 - HKLM\..\Run: [lsyvbc] C:\WINDOWS\SYSTEM\lsyvbc.exe
O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\SYSTEM\stcloader.exe
O4 - HKLM\..\Run: [ClrSchLoader] \Progra~1\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe
O4 - HKLM\..\Run: [rs2T36Q] DX7RAMP.EXE
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [DownloadWare] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [Search-Exe] "C:\PROGRAM FILES\SE\V11\SE.EXE" /H
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [LoadBlackD] C:\Program Files\Network ICE\BlackICE\blackd.exe
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
O4 - HKCU\..\Run: [aBt3RWcnS] ROBMAINT.EXE
O4 - HKLM\..\RunOnce: [TV Media] C:\TV MEDIA\TVM.EXE
O4 - HKCU\..\RunOnce: [TV Media] C:\TV MEDIA\TVM.EXE
O4 - Startup: BlackICE Utility.lnk = C:\Program Files\Network ICE\BlackICE\blackice.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://www.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB


0
Comment
Question by:vingold
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 5

Accepted Solution

by:
AshuraKnight earned 125 total points
ID: 11690623
Read this :

http://crazyone.tekmasters.com/malwaretools.html

from CrazyOne homepage :)
0
 

Expert Comment

by:kkrazyykkidd
ID: 11693371
Hey, just want to give you something to try:

Click start, click Run, and type "msconfig".
Click the startup tab
Uncheck all that you dont want to startup

hope this helps.. kkrazyykkidd
0
 

Expert Comment

by:plit
ID: 11693383
I'd suggest just format and install Windows on clean disk. And make a mark on it - "do not run programms i dont trust"

Formatting - reinstalling might be a bit complicated, but it should save nerves and might be even time.
0
Ready to trade in that old firewall?

Whether you need to trade-up to a shiny new Firebox or just ready to upgrade from whatever appliance you're using now, WatchGuard has the right appliance for you! Find your perfect Firebox today with appliance sizing tool!

 

Expert Comment

by:kkrazyykkidd
ID: 11693415
O4 - HKLM\..\Run: [ClrSchLoader] \Progra~1\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
O4 - HKCU\..\Run: [aBt3RWcnS] ROBMAINT.EXE
O4 - HKLM\..\RunOnce: [TV Media] C:\TV MEDIA\TVM.EXE
O4 - HKCU\..\RunOnce: [TV Media] C:\TV MEDIA\TVM.EXE
O4 - HKLM\..\Run: [DownloadWare] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [Search-Exe] "C:\PROGRAM FILES\SE\V11\SE.EXE" /H
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [goidr] C:\WINDOWS\goidr.exe
O4 - HKLM\..\Run: [0wtj] C:\WINDOWS\TEMP\0WTJ.EXE
2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - C:\PROGRAM FILES\404SEARCH\404SEARCH.DLL (file missing)

Get rid of what you dont need from here...

Apparently: O4 - HKLM\..\Run: [goidr] C:\WINDOWS\goidr.exe is a virus if you go here:

http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=126656
0
 

Author Comment

by:vingold
ID: 11694721
I guess it is tricky here on EE, sometimes a poster wants to be fed the fish, and sometimes we want to be taught how to fish (or at least shown where the pond is).  I know when I post questions regarding databases, ASP, etc.  I want to be shown how to fish.

When I posted this question, I wanted to be fed a fish.  I don't want to be a spyware expert, my knowledge of Spyware is already far more than I would have originally wanted.  If it was up to me, it would be illegal, and would carry with it bigger penalties than spam.  But that is a rant for another day.

What I wanted, is a response to this question similar to responses I've seen elsewhere on EE regarding a HiJack-This log.  I wanted someone to tell me what to check off and fix, so I could get on with my workday.  This is very similar to what KkrazyyKidd did.

However, I also want to be fair in awarding the points, and it was Ashura's response that led me down the path to where the pond was (though I did have to do a few more google searches to find all of the fish).

Therefore I am accepting Ashura's answer, as brief as it was.

In addition to the link from Ashura provided above, I also found these to be helpful:

http://www.creightonbrown.geek.nz/content/ideas_tweaks.asp   <---- this was very helpful in locating and removing the TVM.exe entries from the registry.  Apparently TVM.exe runs every few moments to make sure it is loaded.  I ran HiJack-This 4 times, checking off the TVM.exe entries each time.  And every time it had reloaded itself.  Pesky little SOB.

I also used:  http://www.sysinfo.org/startuplist.php  to help me determine what should be getting loaded.  There was a handful of entries I couldn't find, I figured if it wasn't in the list it shouldn't be loaded and I got rid of it.

Thanks to all that helped!
- Vinny

BTW - if anyone want to comment on how I decided to award these points, please do.  You can reach me on AOL at vingold.
0
 
LVL 5

Expert Comment

by:AshuraKnight
ID: 11694777
Lol sorry vinny.
I thought every1 like being taught how to fish :P
So later on you can also answer someone else question and become an "expert"
Notice it's in quotes, because I think no1 can become an expert on specific field because there's other guy out there whom might know better :)
And thanks for the point :P
0
 

Author Comment

by:vingold
ID: 11695514
Ashura,

Not a problem :-)

Thanks again for your help.

- Vinny
0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
A look at what happened in the Verizon cloud breach.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Suggested Courses
Course of the Month9 days, 14 hours left to enroll

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question