can anyone tell me which ones to delete

[maggikelly]

Logfile of HijackThis v1.91.2
Scan saved at 9:06:54 PM, on 1/19/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

F1 - win.ini: load=ptsnoop.exe
O4 - HKLM\..\Run: [System Monitor] sysmon16.exeO4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\SAVE\Save.exe

Are these virus's or needed programs ??
Anyone help please
Thanks
Maggi

 

[TonyKlein]

Maggi,

Why aren't you posting your entire Hijack This log instead of just the items that strike you as funny?

I told you in the other thread you have a backdoor trojan starting up, but I'm not hearing you talk about that one.

And you probably have lots of other stuff that needs attention.

If you're interested in having us assist you to get rid of unneccessary items, please help us to help you.

 

[TonyKlein]

OK, as you wish, then:

Sysmon16.exe is the trojan startup, and Save.exe is spyware.

Have Hijack This fix both.

Reboot, find and delete Sysmon16.exe.

Run an online scan on Panda Active Scan

Next, download Spybot - Search & Destroy

After installing, press Online, and search for, put a check mark at, and install all updates.

Next, go to the Settings tab > File Sets, and uncheck 'System Internals' and 'Tracks' .
These aren't needed for our present purpose, and you can always experiment with them later on.

Finally, after closing down Internet Explorer, hit 'Check for Problems', and have SpyBot remove all it finds.

 

[maggikelly]

Hi Tony
Thanks for your help, I will send you the whole hi jack list, There was a lot on it and I didnt understand any of it!! Sorry, Told you I was a newbie. So I just picked out the ones that keep trying to access the net. Whole list is as follows. Have to go to bed now as it is late here in Australia. Will be back on line tomorrow night.
Thanks again for your help.
Maggi

Logfile of HijackThis v1.91.2
Scan saved at 9:06:54 PM, on 1/19/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=www.icenet.com.au/links.shtml
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.ninemsn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=www.icenet.com.au
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=www.icenet.com.au/links.shtml
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=www.icenet.com.au
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=www.icenet.com.au/links.shtml
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=www.icenet.com.au
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=www.icenet.com.au/links.shtml
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title=Icenet Internet Services
F1 - win.ini: load=ptsnoop.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [System Monitor] sysmon16.exe
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\SAVE\Save.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [MiniLog] C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE -service
O4 - HKLM\..\RunServices: [System Monitor] sysmon16.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: Reboot.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Forget Me Not Reminders.lnk = C:\WINDOWS\HWINFO.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Run DAP (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37632.6924305556
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as/asinst.cab

 

[TonyKlein]

No prob, Maggi!

You actually did a fine job, as Sysmon16.exe and Save.exe are the only two items you really need to have Hijack This fix.

If you do exactly what I just told you, you'll be fine.

Don't forget to find and delete the Sysmon16.exe file, and to run SpyBot in order to remove SaveNow.

Good luck,

 

[maggikelly]

Hi Tony
Just Logged on, I am now going to follow your instructions . thanks a lot, will let you know how I get on.
Thanks
Maggi

 

[maggikelly]

Hi Tony
I did all the things you said, and Spybot did its works real good, so I have fixed and removed all problem files. I only have 1 problem now, and i wonder if you can help. Where do I look for the sysmon16.exe file, I trie to locate on find. but it says its not there. I have started to manually search my folders, If you know of a quicker way, please can you let me know, thanks,
Maggi in Australia

 

[jm100dm]

If you don't find it using find to search your harddrives then you will not be able to find it manually in your files. Go to start\run\ type regedit press ok. Click edit\find type in Sysmon16 and press find next. Make sure that the 16 is in there sysmon is a valid windows progam. If it is found in the registry right click on it and delete it. When asked are you sure press yes. Continue through to the end of the registry with edit\find next. That should take care of it.

jm100dm

 

[TonyKlein]

All you need to do is have Hijack This fix the following items:

O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\SAVE\Save.exe
O4 - HKLM\..\RunServices: [System Monitor] sysmon16.exe

That will remove their startup entries from the registry, so there's no need to do a manual search on top of that.

If you subsequently reboot, the files themselves won't load, and will therefore not be in use by Windows so that they can easily be deleted.