help with hijack?

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

vox

Thread Starter
Joined
Aug 26, 2003
Messages
21
Hi-
I just had a nasty bout with a virus and a keylogger. I downloaded spybot and hijackthis and I think I cleared it all up - but could someone have a look and tell me if it looks ok?
thanks!
vox

Logfile of HijackThis v1.96.4
Scan saved at 12:52:55 AM, on 9/11/2003
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\THOTKEY.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\TOSHIBA\MOUSE\TMOUSE.EXE
C:\WINDOWS\SYSTEM\TFUNCKEY.EXE
C:\WINDOWS\SYSTEM\TPWRMGR.EXE
C:\WINDOWS\SYSTEM\TOSHIBSU.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.metacrawler.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.microsoft.com/search/search.asp
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TMOUSE] C:\Toshiba\Mouse\tmouse.exe
O4 - HKLM\..\Run: [TFunckey] TFunckey.Exe
O4 - HKLM\..\Run: [TPwrMgr] TPwrMgr.Exe
O4 - HKLM\..\Run: [TDspOff] TDspOff.Exe B
O4 - HKLM\..\Run: [TOSHIBSU] TOSHIBSU.EXE
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [THotkey] THotkey.Exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: RealDownload.lnk = C:\Program Files\REAL\RealDownload\REALDOWNLOAD.EXE
O4 - User Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - User Startup: RealDownload.lnk = C:\Program Files\REAL\RealDownload\REALDOWNLOAD.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt0_x.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/d052c1d7d32ead/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37860.4168171296
O16 - DPF: Turbo 21 TM by pogo.com - http://turbo15.pogo.com/applet/turbo21/turbo21-ob-assets.cab
O16 - DPF: Word Whomp by pogo.com - http://whomp.pogo.com/applet/wordwhomp/wordwhomp-ob-assets.cab
 
Joined
Mar 9, 2003
Messages
4,699
In Hijack This, check ALL of the following items. Double check so as to be sure not to miss a single one.
Next, close all browser Windows, and have HT fix all checked.

O4 - HKLM\..\Run: [TDspOff] TDspOff.Exe B
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: RealDownload.lnk = C:\Program Files\REAL\RealDownload\REALDOWNLOAD.EXE
O4 - User Startup: RealDownload.lnk = C:\Program Files\REAL\RealDownload\REALDOWNLOAD.EXE


Next reboot into Safe Mode and remove the following files and folders that are bolded

C:\WINDOWS\SYSTEM\INTERNAT.EXE

See here http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406 for how to start in safe mode if you don't know how.

Reboot into normal mode

Now download Spybot - Search & Destroy (if you haven't got the program installed already)

After installing, first press Online, and search for, put a check mark at, and install all updates.

Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove/fix all it finds that are in RED

Reboot

Last, run HJT again and post your log again to see if anything was missed.

Thanks
 
Joined
Sep 10, 2003
Messages
76
Next reboot into Safe Mode and remove the following files and folders that are bolded

C:\WINDOWS\SYSTEM\INTERNAT.EXE

why must remove the INTERNAT.EXE??? I do not think so,I think it is "microsoft Keyboard Language Indicator Applet", i think it is a good app!!:D :confused:
 
Joined
Mar 9, 2003
Messages
4,699
Oops, good catch.

C:\WINDOWS\SYSTEM\INTERNAT.EXE
As you pointed out is the Keyboard Language Indicator

C:\WINDOWS\INTERNAT.EXE
Is the result of a virus.

As they say in real estate, location is everything.

Sorry about that one. :eek:
 

Metallica

Malware Specialist
Joined
Jan 28, 2003
Messages
692
Unless you like/need to switch language settings regularly, there is no harm in disabling internat.exe

Regards,

Pieter
 

vox

Thread Starter
Joined
Aug 26, 2003
Messages
21
Ok, so don't disable internat...
What is :O4 - HKLM\..\Run: [TDspOff] TDspOff.Exe B
and :O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
?
I just like to know what I'm removing.
I've always wanted to remove the realdownload stuff, but it seems to interfer with my media stuff when I try to remove it ( like sound and video). Is this possible?
Thanks
vox
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top