?
Solved

HJT log

Posted on 2005-04-03
17
Medium Priority
?
360 Views
Last Modified: 2010-04-11
I have a win 2K pro OS. The machine has been running very slowly and i have been getting a lot of pop ups.I ran the HJT program and I have posted the log file.Can you let me know what I will need to do now!!

Logfile of HijackThis v1.99.1
Scan saved at 10:17:29 PM, on 4/3/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\winnt\System32\smss.exe
C:\winnt\system32\winlogon.exe
C:\winnt\system32\services.exe
C:\winnt\system32\lsass.exe
C:\winnt\system32\svchost.exe
C:\winnt\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\winnt\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\winnt\system32\hidserv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\winnt\system32\regsvc.exe
C:\winnt\system32\MSTask.exe
C:\PROGRA~1\Toolbar\TBPSSvc.exe
C:\winnt\System32\WBEM\WinMgmt.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\winnt\Explorer.EXE
C:\winnt\System32\tp4mon.exe
C:\Program Files\QuickTime\qttask.exe
C:\winnt\loadqm.exe
C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\winnt\System32\rsnmxs.exe
C:\PROGRA~1\Toolbar\PIB.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\WINNT\System32\Jfm38T2.exe
C:\WINNT\System32\Jfm38T2.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe
C:\WINNT\System32\svcpack.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50171
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50171
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50171
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL (file missing)
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\2.bin\MYBAR.DLL (file missing)
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\2.bin\MYBAR.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Piolet] C:\Program Files\Piolet\Piolet.exe SILENT
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Q7dDuyXTz] c:\winnt\temp\Q7dDuyXTz.exe
O4 - HKLM\..\Run: [28EYFYX58ZKYMG] C:\WINNT\System32\LsxI52.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [cw0ERfJ4h] rsnmxs.exe
O4 - HKCU\..\Run: [odbccr32] C:\WINNT\System32\odbccr32.exe
O4 - HKCU\..\Run: [svcpack] C:\WINNT\System32\svcpack.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer Start) - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.5.exe
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
O20 - Winlogon Notify: nwprovau - C:\winnt\SYSTEM32\nwprovau.dll
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\winnt\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe

Thank you.

A
0
Comment
Question by:aej1973
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
  • 3
  • +2
17 Comments
 
LVL 9

Expert Comment

by:woodendude
ID: 13694524
0
 

Author Comment

by:aej1973
ID: 13694664
Thank you for your response. I am not able to delete the files which are nasty;
For example; C:\Program Files\Common Files\WinTools\WToolsS.exe.

when i try to delete the file WtoolsS.exe i get a response cannot delete there is a sharing violation.
0
 
LVL 10

Expert Comment

by:Purple_Tidder
ID: 13694972
Boot into safemode and delete the WinTools folder.  Usually gets it for me.
0
Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

 
LVL 9

Expert Comment

by:woodendude
ID: 13696868
Yes as  Purple_Tidder  said run the progam in safemode and remove the nasties from there.
0
 
LVL 12

Assisted Solution

by:rossfingal
rossfingal earned 300 total points
ID: 13698411
Hi!

These lines show that you have a Peper Trojan on your system -
O4 - HKLM\..\Run: [28EYFYX58ZKYMG] C:\WINNT\System32\LsxI52.exe
O4 - HKCU\..\Run: [cw0ERfJ4h] rsnmxs.exe

Download and run this Peper Fix tool - run it twice rebooting in between -
You may want to run it in "Safe" mode -
Download from here:
http://www.subratam.org/main/index.php?option=com_content&task=view&id=19&Itemid=41

The last 2 lines in your log shows variants of "WinTools" running as a "Service":
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe

Click on "Start" - click on "Run" - in the run box type "services.msc" (withou quotes) -
look for an entry related to WinTools - double-click on it -
Stop it - then disable it.
Do the same for "TBPSSvc.exe"

Look in Add/Remove Programs for any entries related to "WinTools" -
try uninstalling from there.

As Purple_Tidder said above - may want to do this in "Safe" mode.

While in "safe" mode delete the following folders:
C:\Program Files\WinTools  <=  this folder
C:\Program Files\AutoUpdate  <=  this folder
C:\PROGRA~1\Toolbar  <=  this folder

Clean out all your "temp" files:

# C:\Windows\Temp - delete ALL of the CONTENTS of the folder - Not the "temp" folder itself!
# C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files (all contents)
  <=This will delete all your cached internet content including cookies.
  This is recommended and strongly suggested!
    However, if you delete all your cookies - this can affect your stored Internet passwords
    and your ability to logon automatically to various sites.
    So, consider deleting all your cookies - optional
# C:\Documents and Settings\<Your Profile>\Local Settings\Temp (all contents)
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files (all contents)
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp (all contents)

Empty your "Recycle Bin".

Reboot into "Normal" mode
With all browser windows closed - run HijackThis again -
Then run your log through the Analysis site -
Post a LINK to your new log back here
 
Good luck!

RF
0
 

Author Comment

by:aej1973
ID: 13701261
this is the new output. Any suggestions?? Thanks.

http://www.hijackthis.de/logfiles/be674c0ca2fb6db30e8326b14a7f8522.html
0
 
LVL 9

Accepted Solution

by:
woodendude earned 200 total points
ID: 13701356
Remove the following:
         O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL (file missing)
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\2.bin\MYBAR.DLL (file missing)
         O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
       O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\2.bin\MYBAR.DLL (file missing)
       O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll (file missing)
         O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
       O4 - HKLM\..\Run: [Q7dDuyXTz] c:\winnt\temp\Q7dDuyXTz.exe
         O4 - HKLM\..\Run: [28EYFYX58ZKYMG] C:\WINNT\System32\Sterz6w.exe         
         O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKCU\..\Run: [cw0ERfJ4h] rsnmxs.exe
O4 - HKCU\..\Run: [odbccr32] C:\WINNT\System32\odbccr32.exe
         O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll (file missing)
       O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll (file missing)
         O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
         O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
         O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer Start) - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0. 5.exe
         O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll (file missing)
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe (file missing)
0
 
LVL 9

Expert Comment

by:woodendude
ID: 13701360
Remove the above in safemode
0
 

Author Comment

by:aej1973
ID: 13701877
0
 
LVL 9

Expert Comment

by:woodendude
ID: 13701941
C:\WINNT\System32\svcpack.exe
         O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\2.bin\MYBAR.DLL (file missing)
         O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dl
         O4 - HKCU\..\Run: [svcpack] C:\WINNT\System32\svcpack.exe
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe (file missing)
They've got to go.
0
 
LVL 6

Expert Comment

by:caza13
ID: 13702001
C:\WINNT\System32\svcpack.exe
O4 - HKCU\..\Run: [svcpack] C:\WINNT\System32\svcpack.exe

The above items seem to be associated with Cool Web Search.
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 13737260
Hi!

Make sure you update Windows 2000 to Service Pack 4
And:
Internet Explorer to Service Pack 1

Thanks and good luck!
RF
0
 

Author Comment

by:aej1973
ID: 13737935
Thank you. How do I do that? I did actually post another question where I am having a problem upgrading my my WIN 2K os to a win XP. I am trying to upgrade my win 2K  using the Win XP software( upgrade version). When I try a and do the upgrade I get a message "setup was unable to access the boot cinfig filw, C:/BOOT.INI" How do I recover / repair this boot config file..any suggestions.
Thank you.
0
 
LVL 9

Expert Comment

by:woodendude
ID: 13738422
Upgrades are pron to problems, many times they just never seem to operate correctly. I'd suggest backing up important data and formating and doing a full install of xp if at all possible.
0
 

Author Comment

by:aej1973
ID: 13739985
I will keep that in mind,thanks. BTW with the help of the notes you sent me I had the problem solved.Thanks again.

A
0
 
LVL 9

Expert Comment

by:woodendude
ID: 13741956
No prob.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.
The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question