Solved

hiJack Log... Please help

Posted on 2004-08-12
9
886 Views
Last Modified: 2010-04-11
What should be removed....  I'm pretty sure there's a few, but I'm allways cautious going through them.

Thanks guys!

Logfile of HijackThis v1.97.7
Scan saved at 1:38:52 PM, on 12/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\yenavn.exe
C:\Program Files\OfferApp\OfferApp.exe
C:\WINDOWS\dhbrwsr.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\ACT\SideACT.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\WINDOWS\system32\sessmgr.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpCtr.exe
C:\WINDOWS\system32\RDSHOST.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\dhsvr.exe
C:\Documents and Settings\Ed\Local Settings\Temporary Internet Files\Content.IE5\A0D7EQ8M\HijackThis[1].exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://go.microsoft.com/fwlink/?LinkId=374
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\dealhlpr.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Band Class - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\dealhlpr.dll
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [System Tray] C:\WINDOWS\msccn32.exe
O4 - HKLM\..\Run: [Soundmx] C:\WINDOWS\System32\soundmx.exe
O4 - HKLM\..\Run: [sh263m] C:\WINDOWS\System32\sh263m.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [DealHelperUpdate] C:\WINDOWS\DHUpdt.exe
O4 - HKLM\..\Run: [DealHelperBrwsr] C:\WINDOWS\dhbrwsr.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [System Tray] C:\WINDOWS\msccn32.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SideACT!.lnk = C:\Program Files\ACT\SideACT.exe
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: ICQ 4.1 (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/9955/20031218/akamai.info.apple.com/iTunes4/WW/win/019-0123.20031218.zes4d/iTunesSetup.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/0829a8578d9e0567e005/netzip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab

0
Comment
Question by:FTIISD
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 65

Accepted Solution

by:
SheharyaarSaahil earned 500 total points
ID: 11785740
Hello FTIISD =)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\dealhlpr.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Band Class - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\dealhlpr.dll
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O4 - HKLM\..\Run: [sh263m] C:\WINDOWS\System32\sh263m.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [DealHelperUpdate] C:\WINDOWS\DHUpdt.exe
O4 - HKLM\..\Run: [DealHelperBrwsr] C:\WINDOWS\dhbrwsr.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKCU\..\Run: [System Tray] C:\WINDOWS\msccn32.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
===================================================

U can Fix these entries !!!!!!
0
 
LVL 32

Expert Comment

by:LucF
ID: 11785763
Hi FTIISD,

Tick the checkbox in front of the following lines, afterwards click "fix checked"
Then reboot the computer and dlete the offending files.

O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\dealhlpr.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Band Class - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\dealhlpr.dll
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O4 - HKLM\..\Run: [System Tray] C:\WINDOWS\msccn32.exe
O4 - HKLM\..\Run: [sh263m] C:\WINDOWS\System32\sh263m.exe
O4 - HKLM\..\Run: [DealHelperUpdate] C:\WINDOWS\DHUpdt.exe
O4 - HKLM\..\Run: [DealHelperBrwsr] C:\WINDOWS\dhbrwsr.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKCU\..\Run: [System Tray] C:\WINDOWS\msccn32.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h <= GAOBOT
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/0829a8578d9e0567e005/netzip/RdxIE601.cab

Greetings,

LucF
0
 
LVL 32

Expert Comment

by:LucF
ID: 11785769
too slow...
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 11785779
and ofcourse before fixixng those line dont forget to Turn off the System Restore and then u can run the following tools in Safemode to get rid of all remainents junk stuff :)

========================================================
AdAware ==> http://www.lavasoftusa.com/support/download/
SpyBot  ==> http://www.spychecker.com/program/spybot.html
CoolWebShredder ==> http://www.spychecker.com/program/coolwebshredder.html
ToolBar Cop >> http://www.mvps.org/sramesh2k/toolbarcop.htm
Stinger >> http://vil.nai.com/vil/stinger
========================================================

post back the results :)
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 11785837
>> Logfile of HijackThis v1.97.7

and BTW its the old version,,,, next time use the new version, u can get it from here :)
http://tools.radiosplace.com/HijackThis.exe
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 11797377
Have them attempt to remove"Wintools" through Add/Remove Programs first.
And, tell them to move HijackThis out of a temporary folder into a folder of it's own.
As always - Regards...
RF
0
 
LVL 3

Expert Comment

by:cduke250
ID: 11805682
If you are running windows XP then you are in a lot of luck bro~

The windows restore program automatically saves registry and other settings in a "snapshot" of your computer.  There are several "snapshots" available that let you restore old (working) settings.   Restoring an older snapshot does not delete any of your new files or change anything bad.  If I was you I would do this immediately and then run a thorough anti-virus program with the latest updates.  Here is a MO for you.
_________________________
| OPTIONAL PRE CHECKLIST |
+--------------------------------------------------------------------------------------------------+
Save ALL records in a specific spot like My documents/records/   You will have to go through the settings of the programs to do this.  This will greatly aid someone trying to help.

If you need a program but your PC doesnt connect to internet to download it, DL it on another PC and save to disk or burn to CD.  

Google for "vice trojan finder"  or find it at rootkit.com  

Find hijackthis at http://www.spychecker.com/download/download_hijackthis.html

AdWare is a REQUIREMENT for smooth pc operation.  find at zdnet and emule.

Use emule (zdnet.com) to find programs. (during setup you want to use the kad network too.)

Might need winrar (zdnet.com, winrar.com) to unpack and unzip files.  WinZip will not work for some of these files.

Don't use IE as your web browser.  Use netscape or USE FIREFOX!! THE BEST BROWSER"." www.mozilla.org
+--------------------------------------------------------------------------------------------------+

____________
| CHECKLIST |
+--------------------------------------------------------------------------------------------------+
1. Start -> Programs -> Accessories -> System Tools -> System Restore --> "Restore my computer to an earlier point" --> pick a date and go!

OPTIONAL
*** I would also go to  Start -> Programs -> Accessories -> System Tools -> Disk Cleanup --> delete temp files

2. Update any anti-virus programs you have.  Definately have and regularly use anti-virus programs (Zone alarm security suite, mcaffee, AdAware, hijackthis)!!! Zdnet.com

OPTIONAL -NOT RECOMMENDED -RISKY
**No budget? You can download emule at zdnet.com and search for a anti-virus product.  Scan it for viruses before unpacking(unzipping, unarchiving), scan while unpacking, and scan after unpacking.
-Risky because it could contain a virus or be a malware.  I have found most to be good however.  If you do download anti-virus product make sure you register and pay for it and update everything you can.

OPTIONAL
**Go to Start ->  Settings -> Control Panel -> Add Remove Programs --> Remove all uneeded and unused programs.  This will help all around PC performace.  

OPTIONAL
**Go to Start -> Programs -> Accessories -> System Tools -> Disk Defragmenter --> "Analyse"  --> follow recommendation to defragment or not.  Our recommendation is to defrag no matter what.

3.  Scan your computer with the most advanced and long type of anti-virus detection availabe.  Peruse the settings and try looking for byte-level scanning or byte-heuristics..  Make sure you are scanning in archives as well.

4.  Run a full Adaware with updated definitions. (zdnet.com)

5. Run a full hijackthis.


+--------------------------------------------------------------------------------------------------+


0
 

Author Comment

by:FTIISD
ID: 11810654
Thanks SheharyaarSaahil  and LucF,

cduke250, thanks for the input, unfortunatley it's not my PC, and I have no idea how long he's had that stuff on there.  I'm very familliar with all the workings of XP, and such, I just lack the knowlege when it comes to those hijackThis logs.  I'm learning them, but I'm always affraid I'm going to wipe something I need.

none the less,
Thanks to all three of you!

Cheers!
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 11810807
thanx ^_^
0

Featured Post

MIM Survival Guide for Service Desk Managers

Major incidents can send mastered service desk processes into disorder. Systems and tools produce the data needed to resolve these incidents, but your challenge is getting that information to the right people fast. Check out the Survival Guide and begin bringing order to chaos.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Web content filtering solution 6 59
How to get rid of this security alert once and for all 20 123
Application of a group policy 11 62
Certificate error - subdomain? 2 31
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question