1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

can anyone tell me which ones to delete

Discussion in 'All Other Software' started by maggikelly, Jan 19, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. maggikelly

    maggikelly Thread Starter

    Joined:
    Jan 19, 2003
    Messages:
    12
    Logfile of HijackThis v1.91.2
    Scan saved at 9:06:54 PM, on 1/19/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.00 (5.00.2614.3500)

    F1 - win.ini: load=ptsnoop.exe
    O4 - HKLM\..\Run: [System Monitor] sysmon16.exeO4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\SAVE\Save.exe

    Are these virus's or needed programs ??
    Anyone help please
    Thanks
    Maggi
     
  2. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    Maggi,

    Why aren't you posting your entire Hijack This log instead of just the items that strike you as funny?

    I told you in the other thread you have a backdoor trojan starting up, but I'm not hearing you talk about that one.

    And you probably have lots of other stuff that needs attention.

    If you're interested in having us assist you to get rid of unneccessary items, please help us to help you.
     
  3. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    OK, as you wish, then:

    Sysmon16.exe is the trojan startup, and Save.exe is spyware.

    Have Hijack This fix both.

    Reboot, find and delete Sysmon16.exe.

    Run an online scan on Panda Active Scan

    Next, download Spybot - Search & Destroy

    After installing, press Online, and search for, put a check mark at, and install all updates.

    Next, go to the Settings tab > File Sets, and uncheck 'System Internals' and 'Tracks' .
    These aren't needed for our present purpose, and you can always experiment with them later on.

    Finally, after closing down Internet Explorer, hit 'Check for Problems', and have SpyBot remove all it finds.
     
  4. maggikelly

    maggikelly Thread Starter

    Joined:
    Jan 19, 2003
    Messages:
    12
    Hi Tony
    Thanks for your help, I will send you the whole hi jack list, There was a lot on it and I didnt understand any of it!! Sorry, Told you I was a newbie. So I just picked out the ones that keep trying to access the net. Whole list is as follows. Have to go to bed now as it is late here in Australia. Will be back on line tomorrow night.
    Thanks again for your help.
    Maggi

    Logfile of HijackThis v1.91.2
    Scan saved at 9:06:54 PM, on 1/19/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.00 (5.00.2614.3500)

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=www.icenet.com.au/links.shtml
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.ninemsn.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=www.icenet.com.au
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=www.icenet.com.au/links.shtml
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=www.icenet.com.au
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=www.icenet.com.au/links.shtml
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=www.icenet.com.au
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=www.icenet.com.au/links.shtml
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title=Icenet Internet Services
    F1 - win.ini: load=ptsnoop.exe
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
    O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
    O4 - HKLM\..\Run: [System Monitor] sysmon16.exe
    O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
    O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\SAVE\Save.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKLM\..\RunServices: [MiniLog] C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE -service
    O4 - HKLM\..\RunServices: [System Monitor] sysmon16.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
    O4 - Startup: Reboot.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: Forget Me Not Reminders.lnk = C:\WINDOWS\HWINFO.EXE
    O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Run DAP (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37632.6924305556
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as/asinst.cab
     
  5. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    No prob, Maggi! :)

    You actually did a fine job, as Sysmon16.exe and Save.exe are the only two items you really need to have Hijack This fix.

    If you do exactly what I just told you, you'll be fine.

    Don't forget to find and delete the Sysmon16.exe file, and to run SpyBot in order to remove SaveNow.

    Good luck,
     
  6. maggikelly

    maggikelly Thread Starter

    Joined:
    Jan 19, 2003
    Messages:
    12
    Hi Tony
    Just Logged on, I am now going to follow your instructions . thanks a lot, will let you know how I get on.
    Thanks
    Maggi
     
  7. maggikelly

    maggikelly Thread Starter

    Joined:
    Jan 19, 2003
    Messages:
    12
    Hi Tony
    I did all the things you said, and Spybot did its works real good, so I have fixed and removed all problem files. I only have 1 problem now, and i wonder if you can help. Where do I look for the sysmon16.exe file, I trie to locate on find. but it says its not there. I have started to manually search my folders, If you know of a quicker way, please can you let me know, thanks,
    Maggi in Australia
     
  8. jm100dm

    jm100dm

    Joined:
    May 26, 1999
    Messages:
    994
    If you don't find it using find to search your harddrives then you will not be able to find it manually in your files. Go to start\run\ type regedit press ok. Click edit\find type in Sysmon16 and press find next. Make sure that the 16 is in there sysmon is a valid windows progam. If it is found in the registry right click on it and delete it. When asked are you sure press yes. Continue through to the end of the registry with edit\find next. That should take care of it.

    jm100dm
     
  9. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    All you need to do is have Hijack This fix the following items:

    O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\SAVE\Save.exe
    O4 - HKLM\..\RunServices: [System Monitor] sysmon16.exe


    That will remove their startup entries from the registry, so there's no need to do a manual search on top of that.

    If you subsequently reboot, the files themselves won't load, and will therefore not be in use by Windows so that they can easily be deleted.
     
  10. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/114101

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice