?
Solved

hiJack Log... Please help

Posted on 2004-08-12
9
Medium Priority
?
892 Views
Last Modified: 2010-04-11
What should be removed....  I'm pretty sure there's a few, but I'm allways cautious going through them.

Thanks guys!

Logfile of HijackThis v1.97.7
Scan saved at 1:38:52 PM, on 12/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\yenavn.exe
C:\Program Files\OfferApp\OfferApp.exe
C:\WINDOWS\dhbrwsr.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\ACT\SideACT.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\WINDOWS\system32\sessmgr.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpCtr.exe
C:\WINDOWS\system32\RDSHOST.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\dhsvr.exe
C:\Documents and Settings\Ed\Local Settings\Temporary Internet Files\Content.IE5\A0D7EQ8M\HijackThis[1].exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://go.microsoft.com/fwlink/?LinkId=374
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\dealhlpr.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Band Class - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\dealhlpr.dll
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [System Tray] C:\WINDOWS\msccn32.exe
O4 - HKLM\..\Run: [Soundmx] C:\WINDOWS\System32\soundmx.exe
O4 - HKLM\..\Run: [sh263m] C:\WINDOWS\System32\sh263m.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [DealHelperUpdate] C:\WINDOWS\DHUpdt.exe
O4 - HKLM\..\Run: [DealHelperBrwsr] C:\WINDOWS\dhbrwsr.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [System Tray] C:\WINDOWS\msccn32.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SideACT!.lnk = C:\Program Files\ACT\SideACT.exe
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: ICQ 4.1 (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/9955/20031218/akamai.info.apple.com/iTunes4/WW/win/019-0123.20031218.zes4d/iTunesSetup.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/0829a8578d9e0567e005/netzip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab

0
Comment
Question by:FTIISD
9 Comments
 
LVL 65

Accepted Solution

by:
SheharyaarSaahil earned 2000 total points
ID: 11785740
Hello FTIISD =)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\dealhlpr.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Band Class - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\dealhlpr.dll
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O4 - HKLM\..\Run: [sh263m] C:\WINDOWS\System32\sh263m.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [DealHelperUpdate] C:\WINDOWS\DHUpdt.exe
O4 - HKLM\..\Run: [DealHelperBrwsr] C:\WINDOWS\dhbrwsr.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKCU\..\Run: [System Tray] C:\WINDOWS\msccn32.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
===================================================

U can Fix these entries !!!!!!
0
 
LVL 32

Expert Comment

by:LucF
ID: 11785763
Hi FTIISD,

Tick the checkbox in front of the following lines, afterwards click "fix checked"
Then reboot the computer and dlete the offending files.

O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\dealhlpr.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Band Class - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\dealhlpr.dll
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O4 - HKLM\..\Run: [System Tray] C:\WINDOWS\msccn32.exe
O4 - HKLM\..\Run: [sh263m] C:\WINDOWS\System32\sh263m.exe
O4 - HKLM\..\Run: [DealHelperUpdate] C:\WINDOWS\DHUpdt.exe
O4 - HKLM\..\Run: [DealHelperBrwsr] C:\WINDOWS\dhbrwsr.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKCU\..\Run: [System Tray] C:\WINDOWS\msccn32.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h <= GAOBOT
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/0829a8578d9e0567e005/netzip/RdxIE601.cab

Greetings,

LucF
0
 
LVL 32

Expert Comment

by:LucF
ID: 11785769
too slow...
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 11785779
and ofcourse before fixixng those line dont forget to Turn off the System Restore and then u can run the following tools in Safemode to get rid of all remainents junk stuff :)

========================================================
AdAware ==> http://www.lavasoftusa.com/support/download/
SpyBot  ==> http://www.spychecker.com/program/spybot.html
CoolWebShredder ==> http://www.spychecker.com/program/coolwebshredder.html
ToolBar Cop >> http://www.mvps.org/sramesh2k/toolbarcop.htm
Stinger >> http://vil.nai.com/vil/stinger
========================================================

post back the results :)
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 11785837
>> Logfile of HijackThis v1.97.7

and BTW its the old version,,,, next time use the new version, u can get it from here :)
http://tools.radiosplace.com/HijackThis.exe
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 11797377
Have them attempt to remove"Wintools" through Add/Remove Programs first.
And, tell them to move HijackThis out of a temporary folder into a folder of it's own.
As always - Regards...
RF
0
 
LVL 3

Expert Comment

by:cduke250
ID: 11805682
If you are running windows XP then you are in a lot of luck bro~

The windows restore program automatically saves registry and other settings in a "snapshot" of your computer.  There are several "snapshots" available that let you restore old (working) settings.   Restoring an older snapshot does not delete any of your new files or change anything bad.  If I was you I would do this immediately and then run a thorough anti-virus program with the latest updates.  Here is a MO for you.
_________________________
| OPTIONAL PRE CHECKLIST |
+--------------------------------------------------------------------------------------------------+
Save ALL records in a specific spot like My documents/records/   You will have to go through the settings of the programs to do this.  This will greatly aid someone trying to help.

If you need a program but your PC doesnt connect to internet to download it, DL it on another PC and save to disk or burn to CD.  

Google for "vice trojan finder"  or find it at rootkit.com  

Find hijackthis at http://www.spychecker.com/download/download_hijackthis.html

AdWare is a REQUIREMENT for smooth pc operation.  find at zdnet and emule.

Use emule (zdnet.com) to find programs. (during setup you want to use the kad network too.)

Might need winrar (zdnet.com, winrar.com) to unpack and unzip files.  WinZip will not work for some of these files.

Don't use IE as your web browser.  Use netscape or USE FIREFOX!! THE BEST BROWSER"." www.mozilla.org
+--------------------------------------------------------------------------------------------------+

____________
| CHECKLIST |
+--------------------------------------------------------------------------------------------------+
1. Start -> Programs -> Accessories -> System Tools -> System Restore --> "Restore my computer to an earlier point" --> pick a date and go!

OPTIONAL
*** I would also go to  Start -> Programs -> Accessories -> System Tools -> Disk Cleanup --> delete temp files

2. Update any anti-virus programs you have.  Definately have and regularly use anti-virus programs (Zone alarm security suite, mcaffee, AdAware, hijackthis)!!! Zdnet.com

OPTIONAL -NOT RECOMMENDED -RISKY
**No budget? You can download emule at zdnet.com and search for a anti-virus product.  Scan it for viruses before unpacking(unzipping, unarchiving), scan while unpacking, and scan after unpacking.
-Risky because it could contain a virus or be a malware.  I have found most to be good however.  If you do download anti-virus product make sure you register and pay for it and update everything you can.

OPTIONAL
**Go to Start ->  Settings -> Control Panel -> Add Remove Programs --> Remove all uneeded and unused programs.  This will help all around PC performace.  

OPTIONAL
**Go to Start -> Programs -> Accessories -> System Tools -> Disk Defragmenter --> "Analyse"  --> follow recommendation to defragment or not.  Our recommendation is to defrag no matter what.

3.  Scan your computer with the most advanced and long type of anti-virus detection availabe.  Peruse the settings and try looking for byte-level scanning or byte-heuristics..  Make sure you are scanning in archives as well.

4.  Run a full Adaware with updated definitions. (zdnet.com)

5. Run a full hijackthis.


+--------------------------------------------------------------------------------------------------+


0
 

Author Comment

by:FTIISD
ID: 11810654
Thanks SheharyaarSaahil  and LucF,

cduke250, thanks for the input, unfortunatley it's not my PC, and I have no idea how long he's had that stuff on there.  I'm very familliar with all the workings of XP, and such, I just lack the knowlege when it comes to those hijackThis logs.  I'm learning them, but I'm always affraid I'm going to wipe something I need.

none the less,
Thanks to all three of you!

Cheers!
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 11810807
thanx ^_^
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

An overview of cyber security, cyber crime, and personal protection against hackers. Includes a brief summary of the Equifax breach and why everyone should be aware of it. Other subjects include: how cyber security has failed to advance with technol…
Your business may be under attack from a silent enemy that is hard to detect. It works stealthily in the shadows to access and exploit your critical business information, sensitive confidential data and intellectual property, for commercial gain. T…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Suggested Courses

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question