• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 364
  • Last Modified:

HJT log

I have a win 2K pro OS. The machine has been running very slowly and i have been getting a lot of pop ups.I ran the HJT program and I have posted the log file.Can you let me know what I will need to do now!!

Logfile of HijackThis v1.99.1
Scan saved at 10:17:29 PM, on 4/3/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\winnt\System32\smss.exe
C:\winnt\system32\winlogon.exe
C:\winnt\system32\services.exe
C:\winnt\system32\lsass.exe
C:\winnt\system32\svchost.exe
C:\winnt\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\winnt\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\winnt\system32\hidserv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\winnt\system32\regsvc.exe
C:\winnt\system32\MSTask.exe
C:\PROGRA~1\Toolbar\TBPSSvc.exe
C:\winnt\System32\WBEM\WinMgmt.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\winnt\Explorer.EXE
C:\winnt\System32\tp4mon.exe
C:\Program Files\QuickTime\qttask.exe
C:\winnt\loadqm.exe
C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\winnt\System32\rsnmxs.exe
C:\PROGRA~1\Toolbar\PIB.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\WINNT\System32\Jfm38T2.exe
C:\WINNT\System32\Jfm38T2.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe
C:\WINNT\System32\svcpack.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50171
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50171
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50171
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL (file missing)
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\2.bin\MYBAR.DLL (file missing)
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\2.bin\MYBAR.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Piolet] C:\Program Files\Piolet\Piolet.exe SILENT
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Q7dDuyXTz] c:\winnt\temp\Q7dDuyXTz.exe
O4 - HKLM\..\Run: [28EYFYX58ZKYMG] C:\WINNT\System32\LsxI52.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [cw0ERfJ4h] rsnmxs.exe
O4 - HKCU\..\Run: [odbccr32] C:\WINNT\System32\odbccr32.exe
O4 - HKCU\..\Run: [svcpack] C:\WINNT\System32\svcpack.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer Start) - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.5.exe
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
O20 - Winlogon Notify: nwprovau - C:\winnt\SYSTEM32\nwprovau.dll
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\winnt\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe

Thank you.

A
0
aej1973
Asked:
aej1973
  • 7
  • 5
  • 3
  • +2
2 Solutions
 
woodendudeCommented:
0
 
aej1973Author Commented:
Thank you for your response. I am not able to delete the files which are nasty;
For example; C:\Program Files\Common Files\WinTools\WToolsS.exe.

when i try to delete the file WtoolsS.exe i get a response cannot delete there is a sharing violation.
0
 
Purple_TidderCommented:
Boot into safemode and delete the WinTools folder.  Usually gets it for me.
0
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

 
woodendudeCommented:
Yes as  Purple_Tidder  said run the progam in safemode and remove the nasties from there.
0
 
rossfingalCommented:
Hi!

These lines show that you have a Peper Trojan on your system -
O4 - HKLM\..\Run: [28EYFYX58ZKYMG] C:\WINNT\System32\LsxI52.exe
O4 - HKCU\..\Run: [cw0ERfJ4h] rsnmxs.exe

Download and run this Peper Fix tool - run it twice rebooting in between -
You may want to run it in "Safe" mode -
Download from here:
http://www.subratam.org/main/index.php?option=com_content&task=view&id=19&Itemid=41

The last 2 lines in your log shows variants of "WinTools" running as a "Service":
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe

Click on "Start" - click on "Run" - in the run box type "services.msc" (withou quotes) -
look for an entry related to WinTools - double-click on it -
Stop it - then disable it.
Do the same for "TBPSSvc.exe"

Look in Add/Remove Programs for any entries related to "WinTools" -
try uninstalling from there.

As Purple_Tidder said above - may want to do this in "Safe" mode.

While in "safe" mode delete the following folders:
C:\Program Files\WinTools  <=  this folder
C:\Program Files\AutoUpdate  <=  this folder
C:\PROGRA~1\Toolbar  <=  this folder

Clean out all your "temp" files:

# C:\Windows\Temp - delete ALL of the CONTENTS of the folder - Not the "temp" folder itself!
# C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files (all contents)
  <=This will delete all your cached internet content including cookies.
  This is recommended and strongly suggested!
    However, if you delete all your cookies - this can affect your stored Internet passwords
    and your ability to logon automatically to various sites.
    So, consider deleting all your cookies - optional
# C:\Documents and Settings\<Your Profile>\Local Settings\Temp (all contents)
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files (all contents)
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp (all contents)

Empty your "Recycle Bin".

Reboot into "Normal" mode
With all browser windows closed - run HijackThis again -
Then run your log through the Analysis site -
Post a LINK to your new log back here
 
Good luck!

RF
0
 
aej1973Author Commented:
this is the new output. Any suggestions?? Thanks.

http://www.hijackthis.de/logfiles/be674c0ca2fb6db30e8326b14a7f8522.html
0
 
woodendudeCommented:
Remove the following:
         O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL (file missing)
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\2.bin\MYBAR.DLL (file missing)
         O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
       O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\2.bin\MYBAR.DLL (file missing)
       O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll (file missing)
         O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
       O4 - HKLM\..\Run: [Q7dDuyXTz] c:\winnt\temp\Q7dDuyXTz.exe
         O4 - HKLM\..\Run: [28EYFYX58ZKYMG] C:\WINNT\System32\Sterz6w.exe         
         O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKCU\..\Run: [cw0ERfJ4h] rsnmxs.exe
O4 - HKCU\..\Run: [odbccr32] C:\WINNT\System32\odbccr32.exe
         O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll (file missing)
       O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll (file missing)
         O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
         O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
         O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer Start) - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0. 5.exe
         O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll (file missing)
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe (file missing)
0
 
woodendudeCommented:
Remove the above in safemode
0
 
aej1973Author Commented:
0
 
woodendudeCommented:
C:\WINNT\System32\svcpack.exe
         O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\2.bin\MYBAR.DLL (file missing)
         O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dl
         O4 - HKCU\..\Run: [svcpack] C:\WINNT\System32\svcpack.exe
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe (file missing)
They've got to go.
0
 
caza13Commented:
C:\WINNT\System32\svcpack.exe
O4 - HKCU\..\Run: [svcpack] C:\WINNT\System32\svcpack.exe

The above items seem to be associated with Cool Web Search.
0
 
rossfingalCommented:
Hi!

Make sure you update Windows 2000 to Service Pack 4
And:
Internet Explorer to Service Pack 1

Thanks and good luck!
RF
0
 
aej1973Author Commented:
Thank you. How do I do that? I did actually post another question where I am having a problem upgrading my my WIN 2K os to a win XP. I am trying to upgrade my win 2K  using the Win XP software( upgrade version). When I try a and do the upgrade I get a message "setup was unable to access the boot cinfig filw, C:/BOOT.INI" How do I recover / repair this boot config file..any suggestions.
Thank you.
0
 
woodendudeCommented:
Upgrades are pron to problems, many times they just never seem to operate correctly. I'd suggest backing up important data and formating and doing a full install of xp if at all possible.
0
 
aej1973Author Commented:
I will keep that in mind,thanks. BTW with the help of the notes you sent me I had the problem solved.Thanks again.

A
0
 
woodendudeCommented:
No prob.
0

Featured Post

The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

  • 7
  • 5
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now