Hijack CHeck Plz!

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

CodeShark

Thread Starter
Joined
Dec 11, 2002
Messages
233
Logfile of HijackThis v1.97.7
Scan saved at 10:22:37 PM, on 4/13/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\MIXER.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\TEMP\RNW.EXE
C:\WINDOWS\TEMP\6TP.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\DISTILLR\ACROTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\MGCMNI.EXE
C:\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Atikey] Atitask.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [vptray] C:\Program Files\Norton AntiVirus\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [lar] C:\WINDOWS\DESKTOP\LLASS.EXE
O4 - HKLM\..\Run: [Soundmx] \soundmx.exe
O4 - HKLM\..\Run: [Rnw] C:\WINDOWS\TEMP\RNW.EXE
O4 - HKLM\..\Run: [6tp] C:\WINDOWS\TEMP\6TP.EXE
O4 - HKLM\..\Run: [AutoLoaderEnvoloAutoUpdater] "C:\WINDOWS\TEMP\~COMPOUNDINST0\AUTO_UPDATE_LOADER.EXE"
O4 - HKLM\..\Run: [MGCMNI] C:\WINDOWS\SYSTEM\MGCMNI.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\Program Files\Norton AntiVirus\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\Program Files\Norton AntiVirus\defwatch.exe
O4 - HKLM\..\RunServices: [lar] C:\WINDOWS\DESKTOP\LLASS.EXE
O4 - Startup: Microsoft Office.lnk = C:\WINDOWS\Application Data\Microsoft\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\misc.exe
O4 - Startup: Acrobat Assistant.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O13 - WWW. Prefix: http://
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: Yahoo! Freecell Solitaire - http://yog55.games.scd.yahoo.com/yog/y/fs10_x.cab
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab
 
Joined
Mar 9, 2003
Messages
4,699
Let's start with a few programs that will find and remove some of the spyware/malware on your computer. Then we will maunally take care of what is left.

Download CWShredder at
http://www.merijn.org/cwschronicles.html (merijn's site has been under a denial of service lately so try the second link)
http://www.majorgeeks.com/download4086.html

Run CWShredder, check you have the current version by clicking check for update and let it update
Close all browser windows, click on the cwshredder.exe then click "FIX" (Not "Scan only") and let it do its thing.

Make sure you follow the advice about the security updates listed at the bottom of the page, in order to prevent re-infection, otherwise you will be continually re-infected.

The patches are:
http://support.microsoft.com/default.aspx?kbid=828026
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms03-011.asp

Go here and download Adaware 6 Build 181
http://www.lavasoftusa.com/support/download/
Install the program and launch it.

First in the main window look in the bottom right corner and click on "Check for updates now" and download the latest reference files. You must be online first to do this.

Make sure the following settings are made and on -------ON= GREEN
From main window: Click Start then Activate in-depth scan (recommended)
Click Use custom scanning options then click Customize and have these options selected: Under Drives and Folders put a check by Scan within archives and below that under Memory and Registry put a check by all the options there.

Now click on the Tweak button in that same window. Under Scanning engine select Unload recognized processes during scanning and under Cleaning Engine select Let windows remove files in use at next reboot Click proceed to save your settings.
Now to scan just click the Next button.

When the scan is finished mark everything for removal and get rid of it.
(Right-click the window and choose"select all" from the drop down menu and click Next.)

Restart your computer.

Run Spybot - Search & Destroy 1.2
http://tomcoyote.org/SPYBOT/index1.php
http://www.safer-networking.org/index.php?page=home ( select Download )
http://www.lurkhere.com/~nicefiles/

After installing, launch the program ( use the Advanced Mode )
first press Online, press search for updates, then tick the updates it finds, then press download updates.
If it doesn't work or you get an error message then try a different server.
Beside the download button is a little down pointed arrow, select one of the other servers listed.
IF you have cookies from trusted sites you want to keep, click on "excludes" then "cookies". Put a check in the ones you want saved. It will dump the rest.
Finally, after closing down Internet Explorer and OE windows, click Check for Problems, and have SpyBot remove all it finds. Remove everything in Red.
Spybot will sometimes not be able to remove all active components in the first 'run'.
In that case you will get a dialog asking you to run spybot at next start.
Click yes and reboot.
Spybot will come up before the system puts these components 'in use', and it will then be able to fix the rest.
If you didn't get the dialog box asking to reboot then reboot now anyway.

Download Hijack This. http://www.tomcoyote.org/hjt/ or http://www.lurkhere.com/~nicefiles/
Unzip, double-click HijackThis.exe, and hit "Scan".
 
Joined
Mar 9, 2003
Messages
4,699
Depending on what is left after you run the above programs run HJT again and take care of the following:

In Hijack This, check ALL of the following items. Double check so as to be sure not to miss a single one.
Next, close all browser Windows, and have HT fix all checked.

R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [lar] C:\WINDOWS\DESKTOP\LLASS.EXE
O4 - HKLM\..\Run: [Soundmx] \soundmx.exe

O4 - HKLM\..\Run: [Rnw] C:\WINDOWS\TEMP\RNW.EXE
O4 - HKLM\..\Run: [6tp] C:\WINDOWS\TEMP\6TP.EXE
O4 - HKLM\..\Run: [AutoLoaderEnvoloAutoUpdater] "C:\WINDOWS\TEMP\~COMPOUNDINST0\AUTO_UPDATE_LOADER.EXE"
O4 - HKLM\..\Run: [MGCMNI] C:\WINDOWS\SYSTEM\MGCMNI.exe


O4 - HKLM\..\RunServices: [lar] C:\WINDOWS\DESKTOP\LLASS.EXE

O4 - Startup: Microsoft Office.lnk = C:\WINDOWS\Application Data\Microsoft\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\misc.exe
O4 - Startup: Acrobat Assistant.lnk = ?

O13 - WWW. Prefix: http://



Next reboot into Safe Mode and remove the following files and folders that are bolded

C:\WINDOWS\DESKTOP\LLASS.EXE
C:\Windows\soundmx.exe

C:\WINDOWS\TEMP\RNW.EXE
C:\WINDOWS\TEMP\6TP.EXE
C:\WINDOWS\TEMP\~COMPOUNDINST0\AUTO_UPDATE_LOADER.EXE
C:\WINDOWS\SYSTEM\MGCMNI.exe

See here http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406 for how to start in safe mode if you don't know how.

Reboot into normal mode


Now download Spybot - Search & Destroy (if you haven't got the program installed already)

After installing, first press Online, and search for, put a check mark at, and install all updates.

Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove/fix all it finds that are in RED

Reboot

Last, run HJT again and post your log again to see if anything was missed.

Thanks
 

CodeShark

Thread Starter
Joined
Dec 11, 2002
Messages
233
O4 - HKLM\..\Run: [Soundmx] \soundmx.exe

u sure about that one? Isn't that the soundcard?
 

CodeShark

Thread Starter
Joined
Dec 11, 2002
Messages
233
Logfile of HijackThis v1.97.7
Scan saved at 1:10:29 AM, on 4/15/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\MIXER.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Atikey] Atitask.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [vptray] C:\Program Files\Norton AntiVirus\vptray.exe
O4 - HKLM\..\Run: [NATHUNKR] C:\WINDOWS\SYSTEM\NATHUNKR.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\Program Files\Norton AntiVirus\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\Program Files\Norton AntiVirus\defwatch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: Yahoo! Freecell Solitaire - http://yog55.games.scd.yahoo.com/yog/y/fs10_x.cab
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38090.9613773148
 

~Candy~

Retired Administrator
Joined
Jan 27, 2001
Messages
103,706
O4 - HKLM\..\Run: [NATHUNKR] C:\WINDOWS\SYSTEM\NATHUNKR.exe

Any idea what that is?
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top