Solved

hiJack Log... Please help

Posted on 2004-08-12
9
879 Views
Last Modified: 2010-04-11
What should be removed....  I'm pretty sure there's a few, but I'm allways cautious going through them.

Thanks guys!

Logfile of HijackThis v1.97.7
Scan saved at 1:38:52 PM, on 12/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\yenavn.exe
C:\Program Files\OfferApp\OfferApp.exe
C:\WINDOWS\dhbrwsr.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\ACT\SideACT.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\WINDOWS\system32\sessmgr.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpCtr.exe
C:\WINDOWS\system32\RDSHOST.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\dhsvr.exe
C:\Documents and Settings\Ed\Local Settings\Temporary Internet Files\Content.IE5\A0D7EQ8M\HijackThis[1].exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://go.microsoft.com/fwlink/?LinkId=374
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\dealhlpr.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Band Class - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\dealhlpr.dll
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [System Tray] C:\WINDOWS\msccn32.exe
O4 - HKLM\..\Run: [Soundmx] C:\WINDOWS\System32\soundmx.exe
O4 - HKLM\..\Run: [sh263m] C:\WINDOWS\System32\sh263m.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [DealHelperUpdate] C:\WINDOWS\DHUpdt.exe
O4 - HKLM\..\Run: [DealHelperBrwsr] C:\WINDOWS\dhbrwsr.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [System Tray] C:\WINDOWS\msccn32.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SideACT!.lnk = C:\Program Files\ACT\SideACT.exe
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: ICQ 4.1 (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/9955/20031218/akamai.info.apple.com/iTunes4/WW/win/019-0123.20031218.zes4d/iTunesSetup.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/0829a8578d9e0567e005/netzip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab

0
Comment
Question by:FTIISD
9 Comments
 
LVL 65

Accepted Solution

by:
SheharyaarSaahil earned 500 total points
ID: 11785740
Hello FTIISD =)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\dealhlpr.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Band Class - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\dealhlpr.dll
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O4 - HKLM\..\Run: [sh263m] C:\WINDOWS\System32\sh263m.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [DealHelperUpdate] C:\WINDOWS\DHUpdt.exe
O4 - HKLM\..\Run: [DealHelperBrwsr] C:\WINDOWS\dhbrwsr.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKCU\..\Run: [System Tray] C:\WINDOWS\msccn32.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
===================================================

U can Fix these entries !!!!!!
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 11785763
Hi FTIISD,

Tick the checkbox in front of the following lines, afterwards click "fix checked"
Then reboot the computer and dlete the offending files.

O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\dealhlpr.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Band Class - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\dealhlpr.dll
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O4 - HKLM\..\Run: [System Tray] C:\WINDOWS\msccn32.exe
O4 - HKLM\..\Run: [sh263m] C:\WINDOWS\System32\sh263m.exe
O4 - HKLM\..\Run: [DealHelperUpdate] C:\WINDOWS\DHUpdt.exe
O4 - HKLM\..\Run: [DealHelperBrwsr] C:\WINDOWS\dhbrwsr.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKCU\..\Run: [System Tray] C:\WINDOWS\msccn32.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h <= GAOBOT
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/0829a8578d9e0567e005/netzip/RdxIE601.cab

Greetings,

LucF
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 11785769
too slow...
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 11785779
and ofcourse before fixixng those line dont forget to Turn off the System Restore and then u can run the following tools in Safemode to get rid of all remainents junk stuff :)

========================================================
AdAware ==> http://www.lavasoftusa.com/support/download/
SpyBot  ==> http://www.spychecker.com/program/spybot.html
CoolWebShredder ==> http://www.spychecker.com/program/coolwebshredder.html
ToolBar Cop >> http://www.mvps.org/sramesh2k/toolbarcop.htm
Stinger >> http://vil.nai.com/vil/stinger
========================================================

post back the results :)
0
Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 11785837
>> Logfile of HijackThis v1.97.7

and BTW its the old version,,,, next time use the new version, u can get it from here :)
http://tools.radiosplace.com/HijackThis.exe
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 11797377
Have them attempt to remove"Wintools" through Add/Remove Programs first.
And, tell them to move HijackThis out of a temporary folder into a folder of it's own.
As always - Regards...
RF
0
 
LVL 3

Expert Comment

by:cduke250
ID: 11805682
If you are running windows XP then you are in a lot of luck bro~

The windows restore program automatically saves registry and other settings in a "snapshot" of your computer.  There are several "snapshots" available that let you restore old (working) settings.   Restoring an older snapshot does not delete any of your new files or change anything bad.  If I was you I would do this immediately and then run a thorough anti-virus program with the latest updates.  Here is a MO for you.
_________________________
| OPTIONAL PRE CHECKLIST |
+--------------------------------------------------------------------------------------------------+
Save ALL records in a specific spot like My documents/records/   You will have to go through the settings of the programs to do this.  This will greatly aid someone trying to help.

If you need a program but your PC doesnt connect to internet to download it, DL it on another PC and save to disk or burn to CD.  

Google for "vice trojan finder"  or find it at rootkit.com  

Find hijackthis at http://www.spychecker.com/download/download_hijackthis.html

AdWare is a REQUIREMENT for smooth pc operation.  find at zdnet and emule.

Use emule (zdnet.com) to find programs. (during setup you want to use the kad network too.)

Might need winrar (zdnet.com, winrar.com) to unpack and unzip files.  WinZip will not work for some of these files.

Don't use IE as your web browser.  Use netscape or USE FIREFOX!! THE BEST BROWSER"." www.mozilla.org
+--------------------------------------------------------------------------------------------------+

____________
| CHECKLIST |
+--------------------------------------------------------------------------------------------------+
1. Start -> Programs -> Accessories -> System Tools -> System Restore --> "Restore my computer to an earlier point" --> pick a date and go!

OPTIONAL
*** I would also go to  Start -> Programs -> Accessories -> System Tools -> Disk Cleanup --> delete temp files

2. Update any anti-virus programs you have.  Definately have and regularly use anti-virus programs (Zone alarm security suite, mcaffee, AdAware, hijackthis)!!! Zdnet.com

OPTIONAL -NOT RECOMMENDED -RISKY
**No budget? You can download emule at zdnet.com and search for a anti-virus product.  Scan it for viruses before unpacking(unzipping, unarchiving), scan while unpacking, and scan after unpacking.
-Risky because it could contain a virus or be a malware.  I have found most to be good however.  If you do download anti-virus product make sure you register and pay for it and update everything you can.

OPTIONAL
**Go to Start ->  Settings -> Control Panel -> Add Remove Programs --> Remove all uneeded and unused programs.  This will help all around PC performace.  

OPTIONAL
**Go to Start -> Programs -> Accessories -> System Tools -> Disk Defragmenter --> "Analyse"  --> follow recommendation to defragment or not.  Our recommendation is to defrag no matter what.

3.  Scan your computer with the most advanced and long type of anti-virus detection availabe.  Peruse the settings and try looking for byte-level scanning or byte-heuristics..  Make sure you are scanning in archives as well.

4.  Run a full Adaware with updated definitions. (zdnet.com)

5. Run a full hijackthis.


+--------------------------------------------------------------------------------------------------+


0
 

Author Comment

by:FTIISD
ID: 11810654
Thanks SheharyaarSaahil  and LucF,

cduke250, thanks for the input, unfortunatley it's not my PC, and I have no idea how long he's had that stuff on there.  I'm very familliar with all the workings of XP, and such, I just lack the knowlege when it comes to those hijackThis logs.  I'm learning them, but I'm always affraid I'm going to wipe something I need.

none the less,
Thanks to all three of you!

Cheers!
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 11810807
thanx ^_^
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

These days, all we hear about hacktivists took down so and so websites and retrieved thousands of user’s data. One of the techniques to get unauthorized access to database is by performing SQL injection. This article is quite lengthy which gives bas…
There are many Password Managers (PM) out there to choose from. PM's can help with your password habits and routines, but they should not be a crutch you rely on too heavily. I also have an article for company/enterprise PM's.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
A simple description of email encryption using a secure portal service. This is one of the choices offered by The Email Laundry for email encryption. The other choices are pdf encryption which creates an encrypted pdf of your email and any attachmen…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now