1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Help With Hijack Log pls

Discussion in 'Virus & Other Malware Removal' started by chachi45, Sep 22, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. chachi45

    chachi45 Thread Starter

    Joined:
    Sep 8, 2003
    Messages:
    8
    Logfile of HijackThis v1.97.0
    Scan saved at 5:39:18 PM, on 9/11/2003
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    c:\winnt\spool.exe
    C:\WINNT\System32\svchost.exe
    c:\winnt\spool.exe
    c:\winnt\system\themes\Default\shell\SVCHOST.exe
    C:\WINNT\System32\nvsvc32.exe
    c:\winnt\system\cabs\restore\winmgnt.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\system32\ZoneLabs\vsmon.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    D:\PROGRA~1\Agnitum\TAUSCA~1.6\taumon.exe
    D:\Program Files\SonyTray.exe
    D:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    D:\Kazaa Lite\kazaalite.kpp
    E:\Programs\Hijackthis\HijackThis.exe

    O2 - BHO: (no name) - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\E2G\IeBHOs.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Tau Monitor] D:\PROGRA~1\Agnitum\TAUSCA~1.6\taumon.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Image Transfer.lnk = D:\Program Files\SonyTray.exe
    O4 - Global Startup: ZoneAlarm.lnk = D:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37873.8762152778
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  2. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706
    Do you have a problem?
     
  3. chachi45

    chachi45 Thread Starter

    Joined:
    Sep 8, 2003
    Messages:
    8
    Yeah, sorry, I had some trojans and virus's on my PC and I thought I cleaned them but now some of my webstuff is screwy. For instance i can't load google, a lot of links don't show up like icons on yahoo page, hotmail loads all weird. I am not sure what is goin on but I see like 4 svshost.exe in my task manager. Do you see any problems? Thanks in advance for the help.

    ~Chachi
     
  4. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706
    O2 - BHO: (no name) - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\E2G\IeBHOs.dll

    You might fix that one.....I see you are running kazaa, that's pretty dangerous.....

    This can be fixed too, no need to run at startup:
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

    Nero doesn't need to run at startup either.

    Are you using LimeShop? If not, fix this one too:

    O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm


    I'll see if I can't grab someone else to have another look thru your list........
     
  5. putasolution

    putasolution

    Joined:
    Mar 20, 2003
    Messages:
    4,823
    Restart Hijack This and put a check mark against the following

    O2 - BHO: (no name) - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\E2G\IeBHOs.dll
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm

    Click Fix Checked
    Restart your computer

    Do a search for IeBHOs.dll, right click it and delete it or Delete the E2G folder in C:\Program Files
    Beat me to it , C ;)
     
  6. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706
    Thanks PAS, I beckoned Rollin' Rog, didn't see you logged on :p

    Looks like I'm getting half way decent on these :D
     
  7. putasolution

    putasolution

    Joined:
    Mar 20, 2003
    Messages:
    4,823
    I know, looks like we'll be redundant soon, :p

    Chachi's ok on kazaa as it is kazaalite running rather than the full blown spyware ridden version
     
  8. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706
    Thanks for that info, I don't do either Kazaa versions, but I guess a google would have told me it was the lite version ;)
     
  9. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    There are three running processes there that would concern me:

    c:\winnt\spool.exe

    I'm not sure whether this is a default Win2k service, installed by some 3rd party printer drivers, or is a RapidBlaster variant.

    http://www.wilderssecurity.net/specialinfo/rapidblaster.html

    c:\winnt\system\themes\Default\shell\SVCHOST.exe

    As far as I know all legitimate versions svchost.exe run from the System32 directory and are started as services. Do a File Search for that and right click on it and select Properties > Version. What is it's version number, file size and copyright info?

    c:\winnt\system\cabs\restore\winmgnt.exe

    Do the same for winmgnt.exe in that directory. I think it's masquerading as winmgmt.exe which is legit.

    Finally post a copy of the HijackThis Startuplist thusly:

    Click Config > Misc Tools, put a check in "list minor sections" and click Generate Startuplist.

    These must be starting as services somehow.
     
  10. chachi45

    chachi45 Thread Starter

    Joined:
    Sep 8, 2003
    Messages:
    8
    thanks guys i will try all this when i get home tonight, the only thing is this that hijack log was from a week or so ago and when i tried to run hijackthis.exe again it will not open. Should i download it again and try it?

    ~Chachi
     
  11. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Yes. You can also try opening Task Manager and terminating those specific processes to see what gives when you do.

    If you can't get HijackThis to run, see if you can extract tlist and open a command window and enter

    tlist -s

    Right click on the output and select "select all"

    Then hit enter to copy it. You should be able to paste the output for review.

    http://support.microsoft.com/defaul...port/kb/articles/Q250/3/20.ASP&NoWebContent=1

    http://support.microsoft.com/defaul...port/kb/articles/Q263/2/01.ASP&NoWebContent=1

    Tlist may even already be installed.
     
  12. putasolution

    putasolution

    Joined:
    Mar 20, 2003
    Messages:
    4,823
    I think I would have to go with you on the RB variant, RR
     
  13. chachi45

    chachi45 Thread Starter

    Joined:
    Sep 8, 2003
    Messages:
    8
    OMG now When I go to download something it looks like it downloads it and then it shows 0kb in a zip file. I tried to re download Hijackthis and it just says nothing to unzip. I also just tried to virus scan with Trend and Panda and neither will work.

    ~Chachi
     
  14. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Can you open Task Manager (ctrl-alt-del) and terminate those three processes before you try a download?

    Also clear out your Temporary Internet Cache. And if you have another browser, try that.

    You will have to try to distinguish the real svchosts from the imposter. The real ones should have a system or network designation. Not sure what you will see with the other.

    You may need to go to Admin Tools > Services and locate that particular one (by seeing where it is starting from) and disable it. If you can identify the other suspicious processes they might be disabled there as well.
     
  15. chachi45

    chachi45 Thread Starter

    Joined:
    Sep 8, 2003
    Messages:
    8
    it won't allow me to terminate any processes, it says access denied. anything i click on in admion tools says disk is full
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/166694

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice