Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Hijack This log

Posted on 2004-09-22
13
Medium Priority
?
649 Views
Last Modified: 2010-04-11
This is a HiJack This log run after running SpyBot S&D 1.3 and removing everything found.  Computer is still locking up randomly.  I've also run Norton Systemworks and fixed problems found there.  Any ideas would be appreciated.

Logfile of HijackThis v1.98.2
Scan saved at 1:09:59 PM, on 9/8/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\spool\DRIVERS\W32X86\hpoopm07.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\ykfwljp.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Documents and Settings\Administrator\Application Data\pprm.exe
C:\WINNT\system32\ykwjlrbt.exe
C:\Documents and Settings\Administrator\My Documents\PixePtpManager.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sunspot.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINNT\mxTarget.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINNT\systb.dll (file missing)
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\Program Files\Popup Manager\PopupMgr_1.0.2.1P.dll
O2 - BHO: (no name) - {358C1B50-E217-049E-D60F-6C550BAF7764} - C:\WINNT\system32\mqihwd.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINNT\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [vvnmixzzkgfow] C:\WINNT\system32\ykfwljp.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Cunh] C:\Documents and Settings\Administrator\Application Data\pprm.exe
O4 - Global Startup: HP Network Installation Wizard.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet G Series\bin\hpoibj07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PTP Manager.lnk = ?
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.jrnl.com/CFIDE/classes/CFJava.cab
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} - http://streamp.babenet.com/cabs/videox.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD LT 2002\AcDcToday.ocx
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD LT 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD LT 2002\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD LT 2002\AcPreview.ocx
0
Comment
Question by:Bill_Landau
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
  • +2
13 Comments
 
LVL 21

Assisted Solution

by:jvuz
jvuz earned 100 total points
ID: 12123162
Post the log here, it will analyze it for you.

http://www.hijackthis.de/index.php
0
 
LVL 21

Expert Comment

by:jvuz
ID: 12123167
Also do a check with spybot (make sure you aslo install the update)

http://www.safer-networking.org/en/download/index.html
0
 
LVL 16

Assisted Solution

by:OliWarner
OliWarner earned 400 total points
ID: 12123726
Right, press CRTL + ALT + DELETE (and) load up task manager
Click the processes tab and end the following processes...

C:\WINNT\system32\ykfwljp.exe
C:\WINNT\system32\ykwjlrbt.exe

After this you need to delete the files as listed above...
Then in HijackThis select the following entries on the list... after they're all checked click Fix and you should be fine...


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sunspot.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\Program Files\Popup Manager\PopupMgr_1.0.2.1P.dll
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} - http://streamp.babenet.com/cabs/videox.cab
O4 - HKLM\..\Run: [vvnmixzzkgfow] C:\WINNT\system32\ykfwljp.exe
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 2

Expert Comment

by:visualcoat
ID: 12124415
You should download and run Avast Home edition at www.avast.com
0
 
LVL 65

Accepted Solution

by:
SheharyaarSaahil earned 500 total points
ID: 12124789
Bill, first of all u have to Download these tools !!
===============================================
AdAware ==> http://www.spychecker.com/program/adaware.html
SpyBot  ==> http://www.spychecker.com/program/spybot.html
CoolWebShredder ==> http://www.spychecker.com/program/coolwebshredder.html
PeperFix ==> http://downloads.subratam.org/PeperFix.exe
Stinger ==> http://vil.nai.com/vil/stinger
===============================================
Then check these lines in hijackthis and click on Fix Checked !!

===============================================
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINNT\mxTarget.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINNT\systb.dll (file missing)
O2 - BHO: (no name) - {358C1B50-E217-049E-D60F-6C550BAF7764} - C:\WINNT\system32\mqihwd.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [vvnmixzzkgfow] C:\WINNT\system32\ykfwljp.exe
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab
========================================================

Then Disable ur Messenger Service if its running >> http://www.itc.virginia.edu/desktop/docs/messagepopup/
After that Boot ur system in Safemode, and run all the above Five Tools, and delete everything they detect !!
Then empty the Temp Internet Files & Cookies of IE, and delete the contents of TEMP Folder also !!

Reboot back in Normal Mode and now check for the problems ??
Post Back and Good Luck :)
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12129034
Bill, whenever u want to post a comment, post it in Original question, feedback is purely abt ur opinion for a particular expert :)

and now regarding ur feedback,
"Thanks for your response.  I accepted a different answer that was not as helpful as yours without realizing that I could only accept one."

u are not bound to Accept only one question,,,, u can split points between experts with the Split Points link u can see above the box where u type ur comments !!
for more info. on how to close a Question, plzz refer here >> http://www.experts-exchange.com/help.jsp#hs5

So do u want to reopen this question so that u can reaward the points by splitting points ??
0
 

Author Comment

by:Bill_Landau
ID: 12129186
Sorry - I keep forgetting that on this board I'm still a novice, and forget to RTFM.

Yes, I would like to reopen this question.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12129207
>> Sorry - I keep forgetting that on this board I'm still a novice
not a problem, and no need to say Sorry,,, we all faced such things when we joined EE newly ;-)

>> Yes, I would like to reopen this question.
just wait for sometime,,,, i will have to ask a mod in CS to reopen this question, he will reopen this question and then u will need to reclose it,,,,, ok :)
0
 

Author Comment

by:Bill_Landau
ID: 12129305
Saw your request in CS - had just finished reading the help about questions, saw the instructions for requesting reopen, went to CS & saw your request, so I added my endorsement.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12129399
yeah i know..... and now u have to reply back there to RomMod :)
0
 

Author Comment

by:Bill_Landau
ID: 12129480
Just did.  We'll get it right yet....
0
 
LVL 21

Expert Comment

by:jvuz
ID: 12130502
Thanx,

Jvuz
0

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's recap what we learned from yesterday's Skyport Systems webinar.
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question