can anyone tell me which ones to delete

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

maggikelly

Thread Starter
Joined
Jan 19, 2003
Messages
12
Logfile of HijackThis v1.91.2
Scan saved at 9:06:54 PM, on 1/19/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

F1 - win.ini: load=ptsnoop.exe
O4 - HKLM\..\Run: [System Monitor] sysmon16.exeO4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\SAVE\Save.exe

Are these virus's or needed programs ??
Anyone help please
Thanks
Maggi
 

TonyKlein

Malware Specialist
Joined
Aug 26, 2001
Messages
10,392
Maggi,

Why aren't you posting your entire Hijack This log instead of just the items that strike you as funny?

I told you in the other thread you have a backdoor trojan starting up, but I'm not hearing you talk about that one.

And you probably have lots of other stuff that needs attention.

If you're interested in having us assist you to get rid of unneccessary items, please help us to help you.
 

TonyKlein

Malware Specialist
Joined
Aug 26, 2001
Messages
10,392
OK, as you wish, then:

Sysmon16.exe is the trojan startup, and Save.exe is spyware.

Have Hijack This fix both.

Reboot, find and delete Sysmon16.exe.

Run an online scan on Panda Active Scan

Next, download Spybot - Search & Destroy

After installing, press Online, and search for, put a check mark at, and install all updates.

Next, go to the Settings tab > File Sets, and uncheck 'System Internals' and 'Tracks' .
These aren't needed for our present purpose, and you can always experiment with them later on.

Finally, after closing down Internet Explorer, hit 'Check for Problems', and have SpyBot remove all it finds.
 

maggikelly

Thread Starter
Joined
Jan 19, 2003
Messages
12
Hi Tony
Thanks for your help, I will send you the whole hi jack list, There was a lot on it and I didnt understand any of it!! Sorry, Told you I was a newbie. So I just picked out the ones that keep trying to access the net. Whole list is as follows. Have to go to bed now as it is late here in Australia. Will be back on line tomorrow night.
Thanks again for your help.
Maggi

Logfile of HijackThis v1.91.2
Scan saved at 9:06:54 PM, on 1/19/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=www.icenet.com.au/links.shtml
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.ninemsn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=www.icenet.com.au
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=www.icenet.com.au/links.shtml
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=www.icenet.com.au
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=www.icenet.com.au/links.shtml
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=www.icenet.com.au
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=www.icenet.com.au/links.shtml
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title=Icenet Internet Services
F1 - win.ini: load=ptsnoop.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [System Monitor] sysmon16.exe
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\SAVE\Save.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [MiniLog] C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE -service
O4 - HKLM\..\RunServices: [System Monitor] sysmon16.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: Reboot.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Forget Me Not Reminders.lnk = C:\WINDOWS\HWINFO.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Run DAP (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37632.6924305556
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as/asinst.cab
 

TonyKlein

Malware Specialist
Joined
Aug 26, 2001
Messages
10,392
No prob, Maggi! :)

You actually did a fine job, as Sysmon16.exe and Save.exe are the only two items you really need to have Hijack This fix.

If you do exactly what I just told you, you'll be fine.

Don't forget to find and delete the Sysmon16.exe file, and to run SpyBot in order to remove SaveNow.

Good luck,
 

maggikelly

Thread Starter
Joined
Jan 19, 2003
Messages
12
Hi Tony
Just Logged on, I am now going to follow your instructions . thanks a lot, will let you know how I get on.
Thanks
Maggi
 

maggikelly

Thread Starter
Joined
Jan 19, 2003
Messages
12
Hi Tony
I did all the things you said, and Spybot did its works real good, so I have fixed and removed all problem files. I only have 1 problem now, and i wonder if you can help. Where do I look for the sysmon16.exe file, I trie to locate on find. but it says its not there. I have started to manually search my folders, If you know of a quicker way, please can you let me know, thanks,
Maggi in Australia
 
Joined
May 26, 1999
Messages
994
If you don't find it using find to search your harddrives then you will not be able to find it manually in your files. Go to start\run\ type regedit press ok. Click edit\find type in Sysmon16 and press find next. Make sure that the 16 is in there sysmon is a valid windows progam. If it is found in the registry right click on it and delete it. When asked are you sure press yes. Continue through to the end of the registry with edit\find next. That should take care of it.

jm100dm
 

TonyKlein

Malware Specialist
Joined
Aug 26, 2001
Messages
10,392
All you need to do is have Hijack This fix the following items:

O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\SAVE\Save.exe
O4 - HKLM\..\RunServices: [System Monitor] sysmon16.exe


That will remove their startup entries from the registry, so there's no need to do a manual search on top of that.

If you subsequently reboot, the files themselves won't load, and will therefore not be in use by Windows so that they can easily be deleted.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top