Help With Hijack Log pls

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

chachi45

Thread Starter
Joined
Sep 8, 2003
Messages
8
Logfile of HijackThis v1.97.0
Scan saved at 5:39:18 PM, on 9/11/2003
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
c:\winnt\spool.exe
C:\WINNT\System32\svchost.exe
c:\winnt\spool.exe
c:\winnt\system\themes\Default\shell\SVCHOST.exe
C:\WINNT\System32\nvsvc32.exe
c:\winnt\system\cabs\restore\winmgnt.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\PROGRA~1\Agnitum\TAUSCA~1.6\taumon.exe
D:\Program Files\SonyTray.exe
D:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
D:\Kazaa Lite\kazaalite.kpp
E:\Programs\Hijackthis\HijackThis.exe

O2 - BHO: (no name) - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\E2G\IeBHOs.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Tau Monitor] D:\PROGRA~1\Agnitum\TAUSCA~1.6\taumon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Image Transfer.lnk = D:\Program Files\SonyTray.exe
O4 - Global Startup: ZoneAlarm.lnk = D:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37873.8762152778
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
 

chachi45

Thread Starter
Joined
Sep 8, 2003
Messages
8
Yeah, sorry, I had some trojans and virus's on my PC and I thought I cleaned them but now some of my webstuff is screwy. For instance i can't load google, a lot of links don't show up like icons on yahoo page, hotmail loads all weird. I am not sure what is goin on but I see like 4 svshost.exe in my task manager. Do you see any problems? Thanks in advance for the help.

~Chachi
 

~Candy~

Retired Administrator
Joined
Jan 27, 2001
Messages
103,706
O2 - BHO: (no name) - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\E2G\IeBHOs.dll

You might fix that one.....I see you are running kazaa, that's pretty dangerous.....

This can be fixed too, no need to run at startup:
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

Nero doesn't need to run at startup either.

Are you using LimeShop? If not, fix this one too:

O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm


I'll see if I can't grab someone else to have another look thru your list........
 
Joined
Mar 20, 2003
Messages
4,823
Restart Hijack This and put a check mark against the following

O2 - BHO: (no name) - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\E2G\IeBHOs.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm

Click Fix Checked
Restart your computer

Do a search for IeBHOs.dll, right click it and delete it or Delete the E2G folder in C:\Program Files
Beat me to it , C ;)
 

~Candy~

Retired Administrator
Joined
Jan 27, 2001
Messages
103,706
Thanks PAS, I beckoned Rollin' Rog, didn't see you logged on :p

Looks like I'm getting half way decent on these :D
 
Joined
Mar 20, 2003
Messages
4,823
I know, looks like we'll be redundant soon, :p

Chachi's ok on kazaa as it is kazaalite running rather than the full blown spyware ridden version
 

~Candy~

Retired Administrator
Joined
Jan 27, 2001
Messages
103,706
Thanks for that info, I don't do either Kazaa versions, but I guess a google would have told me it was the lite version ;)
 
Joined
Dec 9, 2000
Messages
45,855
There are three running processes there that would concern me:

c:\winnt\spool.exe

I'm not sure whether this is a default Win2k service, installed by some 3rd party printer drivers, or is a RapidBlaster variant.

http://www.wilderssecurity.net/specialinfo/rapidblaster.html

c:\winnt\system\themes\Default\shell\SVCHOST.exe

As far as I know all legitimate versions svchost.exe run from the System32 directory and are started as services. Do a File Search for that and right click on it and select Properties > Version. What is it's version number, file size and copyright info?

c:\winnt\system\cabs\restore\winmgnt.exe

Do the same for winmgnt.exe in that directory. I think it's masquerading as winmgmt.exe which is legit.

Finally post a copy of the HijackThis Startuplist thusly:

Click Config > Misc Tools, put a check in "list minor sections" and click Generate Startuplist.

These must be starting as services somehow.
 

chachi45

Thread Starter
Joined
Sep 8, 2003
Messages
8
thanks guys i will try all this when i get home tonight, the only thing is this that hijack log was from a week or so ago and when i tried to run hijackthis.exe again it will not open. Should i download it again and try it?

~Chachi
 
Joined
Dec 9, 2000
Messages
45,855
Yes. You can also try opening Task Manager and terminating those specific processes to see what gives when you do.

If you can't get HijackThis to run, see if you can extract tlist and open a command window and enter

tlist -s

Right click on the output and select "select all"

Then hit enter to copy it. You should be able to paste the output for review.

http://support.microsoft.com/defaul...port/kb/articles/Q250/3/20.ASP&NoWebContent=1

http://support.microsoft.com/defaul...port/kb/articles/Q263/2/01.ASP&NoWebContent=1

Tlist may even already be installed.
 

chachi45

Thread Starter
Joined
Sep 8, 2003
Messages
8
OMG now When I go to download something it looks like it downloads it and then it shows 0kb in a zip file. I tried to re download Hijackthis and it just says nothing to unzip. I also just tried to virus scan with Trend and Panda and neither will work.

~Chachi
 
Joined
Dec 9, 2000
Messages
45,855
Can you open Task Manager (ctrl-alt-del) and terminate those three processes before you try a download?

Also clear out your Temporary Internet Cache. And if you have another browser, try that.

You will have to try to distinguish the real svchosts from the imposter. The real ones should have a system or network designation. Not sure what you will see with the other.

You may need to go to Admin Tools > Services and locate that particular one (by seeing where it is starting from) and disable it. If you can identify the other suspicious processes they might be disabled there as well.
 

chachi45

Thread Starter
Joined
Sep 8, 2003
Messages
8
it won't allow me to terminate any processes, it says access denied. anything i click on in admion tools says disk is full
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top