Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.

Help With Hijack Log pls

1K views 15 replies 4 participants last post by  Rollin' Rog 
#1 ·
Logfile of HijackThis v1.97.0
Scan saved at 5:39:18 PM, on 9/11/2003
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
c:\winnt\spool.exe
C:\WINNT\System32\svchost.exe
c:\winnt\spool.exe
c:\winnt\system\themes\Default\shell\SVCHOST.exe
C:\WINNT\System32\nvsvc32.exe
c:\winnt\system\cabs\restore\winmgnt.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\PROGRA~1\Agnitum\TAUSCA~1.6\taumon.exe
D:\Program Files\SonyTray.exe
D:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
D:\Kazaa Lite\kazaalite.kpp
E:\Programs\Hijackthis\HijackThis.exe

O2 - BHO: (no name) - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\E2G\IeBHOs.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Tau Monitor] D:\PROGRA~1\Agnitum\TAUSCA~1.6\taumon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Image Transfer.lnk = D:\Program Files\SonyTray.exe
O4 - Global Startup: ZoneAlarm.lnk = D:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37873.8762152778
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
 
See less See more
#3 ·
Yeah, sorry, I had some trojans and virus's on my PC and I thought I cleaned them but now some of my webstuff is screwy. For instance i can't load google, a lot of links don't show up like icons on yahoo page, hotmail loads all weird. I am not sure what is goin on but I see like 4 svshost.exe in my task manager. Do you see any problems? Thanks in advance for the help.

~Chachi
 
#4 ·
O2 - BHO: (no name) - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\E2G\IeBHOs.dll

You might fix that one.....I see you are running kazaa, that's pretty dangerous.....

This can be fixed too, no need to run at startup:
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

Nero doesn't need to run at startup either.

Are you using LimeShop? If not, fix this one too:

O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm

I'll see if I can't grab someone else to have another look thru your list........
 
#5 ·
Restart Hijack This and put a check mark against the following

O2 - BHO: (no name) - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\E2G\IeBHOs.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm

Click Fix Checked
Restart your computer

Do a search for IeBHOs.dll, right click it and delete it or Delete the E2G folder in C:\Program Files
Beat me to it , C ;)
 
#9 ·
There are three running processes there that would concern me:

c:\winnt\spool.exe

I'm not sure whether this is a default Win2k service, installed by some 3rd party printer drivers, or is a RapidBlaster variant.

http://www.wilderssecurity.net/specialinfo/rapidblaster.html

c:\winnt\system\themes\Default\shell\SVCHOST.exe

As far as I know all legitimate versions svchost.exe run from the System32 directory and are started as services. Do a File Search for that and right click on it and select Properties > Version. What is it's version number, file size and copyright info?

c:\winnt\system\cabs\restore\winmgnt.exe

Do the same for winmgnt.exe in that directory. I think it's masquerading as winmgmt.exe which is legit.

Finally post a copy of the HijackThis Startuplist thusly:

Click Config > Misc Tools, put a check in "list minor sections" and click Generate Startuplist.

These must be starting as services somehow.
 
#11 ·
Yes. You can also try opening Task Manager and terminating those specific processes to see what gives when you do.

If you can't get HijackThis to run, see if you can extract tlist and open a command window and enter

tlist -s

Right click on the output and select "select all"

Then hit enter to copy it. You should be able to paste the output for review.

http://support.microsoft.com/defaul...port/kb/articles/Q250/3/20.ASP&NoWebContent=1

http://support.microsoft.com/defaul...port/kb/articles/Q263/2/01.ASP&NoWebContent=1

Tlist may even already be installed.
 
#13 ·
OMG now When I go to download something it looks like it downloads it and then it shows 0kb in a zip file. I tried to re download Hijackthis and it just says nothing to unzip. I also just tried to virus scan with Trend and Panda and neither will work.

~Chachi
 
#14 ·
Can you open Task Manager (ctrl-alt-del) and terminate those three processes before you try a download?

Also clear out your Temporary Internet Cache. And if you have another browser, try that.

You will have to try to distinguish the real svchosts from the imposter. The real ones should have a system or network designation. Not sure what you will see with the other.

You may need to go to Admin Tools > Services and locate that particular one (by seeing where it is starting from) and disable it. If you can identify the other suspicious processes they might be disabled there as well.
 
#16 ·
Try booting up in Safe Mode, logging on as Administrator and see if you can access Administrative Tools that way.

In Safe Mode, find the files referred to and try renaming them. You may get error messages on restart if the services haven't been disabled, but at least they won't be running. Don't touch the svchost.exe in the system32 folder.
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top