• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 896
  • Last Modified:

hiJack Log... Please help

What should be removed....  I'm pretty sure there's a few, but I'm allways cautious going through them.

Thanks guys!

Logfile of HijackThis v1.97.7
Scan saved at 1:38:52 PM, on 12/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\yenavn.exe
C:\Program Files\OfferApp\OfferApp.exe
C:\WINDOWS\dhbrwsr.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\ACT\SideACT.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\WINDOWS\system32\sessmgr.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpCtr.exe
C:\WINDOWS\system32\RDSHOST.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\dhsvr.exe
C:\Documents and Settings\Ed\Local Settings\Temporary Internet Files\Content.IE5\A0D7EQ8M\HijackThis[1].exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://go.microsoft.com/fwlink/?LinkId=374
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\dealhlpr.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Band Class - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\dealhlpr.dll
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [System Tray] C:\WINDOWS\msccn32.exe
O4 - HKLM\..\Run: [Soundmx] C:\WINDOWS\System32\soundmx.exe
O4 - HKLM\..\Run: [sh263m] C:\WINDOWS\System32\sh263m.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [DealHelperUpdate] C:\WINDOWS\DHUpdt.exe
O4 - HKLM\..\Run: [DealHelperBrwsr] C:\WINDOWS\dhbrwsr.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [System Tray] C:\WINDOWS\msccn32.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SideACT!.lnk = C:\Program Files\ACT\SideACT.exe
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: ICQ 4.1 (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/9955/20031218/akamai.info.apple.com/iTunes4/WW/win/019-0123.20031218.zes4d/iTunesSetup.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/0829a8578d9e0567e005/netzip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab

0
FTIISD
Asked:
FTIISD
1 Solution
 
SheharyaarSaahilCommented:
Hello FTIISD =)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\dealhlpr.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Band Class - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\dealhlpr.dll
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O4 - HKLM\..\Run: [sh263m] C:\WINDOWS\System32\sh263m.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [DealHelperUpdate] C:\WINDOWS\DHUpdt.exe
O4 - HKLM\..\Run: [DealHelperBrwsr] C:\WINDOWS\dhbrwsr.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKCU\..\Run: [System Tray] C:\WINDOWS\msccn32.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
===================================================

U can Fix these entries !!!!!!
0
 
LucFEMEA Server EngineerCommented:
Hi FTIISD,

Tick the checkbox in front of the following lines, afterwards click "fix checked"
Then reboot the computer and dlete the offending files.

O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\dealhlpr.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Band Class - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\dealhlpr.dll
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O4 - HKLM\..\Run: [System Tray] C:\WINDOWS\msccn32.exe
O4 - HKLM\..\Run: [sh263m] C:\WINDOWS\System32\sh263m.exe
O4 - HKLM\..\Run: [DealHelperUpdate] C:\WINDOWS\DHUpdt.exe
O4 - HKLM\..\Run: [DealHelperBrwsr] C:\WINDOWS\dhbrwsr.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKCU\..\Run: [System Tray] C:\WINDOWS\msccn32.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h <= GAOBOT
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/0829a8578d9e0567e005/netzip/RdxIE601.cab

Greetings,

LucF
0
 
LucFEMEA Server EngineerCommented:
too slow...
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
SheharyaarSaahilCommented:
and ofcourse before fixixng those line dont forget to Turn off the System Restore and then u can run the following tools in Safemode to get rid of all remainents junk stuff :)

========================================================
AdAware ==> http://www.lavasoftusa.com/support/download/
SpyBot  ==> http://www.spychecker.com/program/spybot.html
CoolWebShredder ==> http://www.spychecker.com/program/coolwebshredder.html
ToolBar Cop >> http://www.mvps.org/sramesh2k/toolbarcop.htm
Stinger >> http://vil.nai.com/vil/stinger
========================================================

post back the results :)
0
 
SheharyaarSaahilCommented:
>> Logfile of HijackThis v1.97.7

and BTW its the old version,,,, next time use the new version, u can get it from here :)
http://tools.radiosplace.com/HijackThis.exe
0
 
rossfingalCommented:
Have them attempt to remove"Wintools" through Add/Remove Programs first.
And, tell them to move HijackThis out of a temporary folder into a folder of it's own.
As always - Regards...
RF
0
 
cduke250Commented:
If you are running windows XP then you are in a lot of luck bro~

The windows restore program automatically saves registry and other settings in a "snapshot" of your computer.  There are several "snapshots" available that let you restore old (working) settings.   Restoring an older snapshot does not delete any of your new files or change anything bad.  If I was you I would do this immediately and then run a thorough anti-virus program with the latest updates.  Here is a MO for you.
_________________________
| OPTIONAL PRE CHECKLIST |
+--------------------------------------------------------------------------------------------------+
Save ALL records in a specific spot like My documents/records/   You will have to go through the settings of the programs to do this.  This will greatly aid someone trying to help.

If you need a program but your PC doesnt connect to internet to download it, DL it on another PC and save to disk or burn to CD.  

Google for "vice trojan finder"  or find it at rootkit.com  

Find hijackthis at http://www.spychecker.com/download/download_hijackthis.html

AdWare is a REQUIREMENT for smooth pc operation.  find at zdnet and emule.

Use emule (zdnet.com) to find programs. (during setup you want to use the kad network too.)

Might need winrar (zdnet.com, winrar.com) to unpack and unzip files.  WinZip will not work for some of these files.

Don't use IE as your web browser.  Use netscape or USE FIREFOX!! THE BEST BROWSER"." www.mozilla.org
+--------------------------------------------------------------------------------------------------+

____________
| CHECKLIST |
+--------------------------------------------------------------------------------------------------+
1. Start -> Programs -> Accessories -> System Tools -> System Restore --> "Restore my computer to an earlier point" --> pick a date and go!

OPTIONAL
*** I would also go to  Start -> Programs -> Accessories -> System Tools -> Disk Cleanup --> delete temp files

2. Update any anti-virus programs you have.  Definately have and regularly use anti-virus programs (Zone alarm security suite, mcaffee, AdAware, hijackthis)!!! Zdnet.com

OPTIONAL -NOT RECOMMENDED -RISKY
**No budget? You can download emule at zdnet.com and search for a anti-virus product.  Scan it for viruses before unpacking(unzipping, unarchiving), scan while unpacking, and scan after unpacking.
-Risky because it could contain a virus or be a malware.  I have found most to be good however.  If you do download anti-virus product make sure you register and pay for it and update everything you can.

OPTIONAL
**Go to Start ->  Settings -> Control Panel -> Add Remove Programs --> Remove all uneeded and unused programs.  This will help all around PC performace.  

OPTIONAL
**Go to Start -> Programs -> Accessories -> System Tools -> Disk Defragmenter --> "Analyse"  --> follow recommendation to defragment or not.  Our recommendation is to defrag no matter what.

3.  Scan your computer with the most advanced and long type of anti-virus detection availabe.  Peruse the settings and try looking for byte-level scanning or byte-heuristics..  Make sure you are scanning in archives as well.

4.  Run a full Adaware with updated definitions. (zdnet.com)

5. Run a full hijackthis.


+--------------------------------------------------------------------------------------------------+


0
 
FTIISDAuthor Commented:
Thanks SheharyaarSaahil  and LucF,

cduke250, thanks for the input, unfortunatley it's not my PC, and I have no idea how long he's had that stuff on there.  I'm very familliar with all the workings of XP, and such, I just lack the knowlege when it comes to those hijackThis logs.  I'm learning them, but I'm always affraid I'm going to wipe something I need.

none the less,
Thanks to all three of you!

Cheers!
0
 
SheharyaarSaahilCommented:
thanx ^_^
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now