1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Hijack log

Discussion in 'Virus & Other Malware Removal' started by lokey, Feb 12, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. lokey

    lokey Thread Starter

    Joined:
    Jun 23, 2003
    Messages:
    17
    Howdy,

    I have a question about the last entry, should it go?

    I'm running WIN ME.






    Logfile of HijackThis v1.97.7
    Scan saved at 4:46:54 PM, on 2/12/2005
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\NOVELL\CLIENT32\NWRECMSG.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\PTSNOOP.EXE
    C:\WINDOWS\SYSTEM\CMMPU.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\PCI AUDIO APPLICATIONS\MIXER.EXE
    C:\PROGRAM FILES\WUSB11 WLAN MONITOR\WLAN_CFG.EXE
    C:\WINDOWS\SYSTEM\HPZTSB04.EXE
    C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
    C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\NETSCAPE\NETSCAPE\NETSCP.EXE
    C:\HIJACKTHIS!\HIJACKTHIS.EXE

    F1 - win.ini: load=ptsnoop.exe
    F1 - win.ini: run=C:\WINDOWS\SYSTEM\cmmpu.exe
    N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.vg.no/"); (C:\Program Files\Netscape\Users\andreas\prefs.js)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
    O4 - HKLM\..\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Mixer.exe /startup
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [WLAN_Cfg.exe] C:\Program Files\WUSB11 WLAN Monitor\WLAN_Cfg.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
    O4 - HKLM\..\Run: [BackgroundScheduler] C:\PROGRA~1\COMMON~1\WallData\Schedule\RRServer.exe
    O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .viv: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npviv32.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 128.54.16.2,132.239.1.52,137.110.0.26
     
  2. bosshogg151

    bosshogg151

    Joined:
    Jan 17, 2004
    Messages:
    553
    There is a newer version of HJT.

    Please go to http://www.spywareinfo.com/~merijn/

    Please note: When you download HijackThis put it in its own permanent folder like My Documents for example. DO NOT download to a temp folder or the desktop.

    Launch program and click on the SCAN button. After scan click on “ Save Log “. It should save to Notepad.

    Click on Edit, then Select All. Then click Edit again then Copy. Then paste log back here in a reply.

    DO NOT have HijackThis fix anything yet. Most of what it shows will be harmless / needed stuff. Wait for an expert to review it and advise you.
     
  3. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    All of them are associated with your school

    University Of California San Diego External Networks
     
  4. lokey

    lokey Thread Starter

    Joined:
    Jun 23, 2003
    Messages:
    17
    Thanks Boss,

    Here's the updated HJT scan result...

    Logfile of HijackThis v1.99.0
    Scan saved at 8:41:51 AM, on 2/14/2005
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\NOVELL\CLIENT32\NWRECMSG.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\PTSNOOP.EXE
    C:\WINDOWS\SYSTEM\CMMPU.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\PCI AUDIO APPLICATIONS\MIXER.EXE
    C:\PROGRAM FILES\WUSB11 WLAN MONITOR\WLAN_CFG.EXE
    C:\WINDOWS\SYSTEM\HPZTSB04.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
    C:\PROGRAM FILES\NETSCAPE\NETSCAPE\NETSCP.EXE
    C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
    C:\HIJACKTHIS!\HIJACKTHIS\HIJACKTHIS.EXE

    R3 - Default URLSearchHook is missing
    F1 - win.ini: load=ptsnoop.exe
    F1 - win.ini: run=C:\WINDOWS\SYSTEM\cmmpu.exe
    N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.vg.no/"); (C:\Program Files\Netscape\Users\andreas\prefs.js)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
    O4 - HKLM\..\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Mixer.exe /startup
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [WLAN_Cfg.exe] C:\Program Files\WUSB11 WLAN Monitor\WLAN_Cfg.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
    O4 - HKLM\..\Run: [BackgroundScheduler] C:\PROGRA~1\COMMON~1\WallData\Schedule\RRServer.exe
    O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .viv: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npviv32.dll
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 128.54.16.2,132.239.1.52,137.110.0.26
    O21 - SSODL: OLE Automation Module - {3F143C3A-1457-6CCA-03A7-7AA23B61E40F} - (no file)


    Cheers,

    Lokey
     
  5. lokey

    lokey Thread Starter

    Joined:
    Jun 23, 2003
    Messages:
    17
    Hey SC,

    I wondered about that, I got this system from a classmate, and I know it was set up to use the campus hub. It seems my alma mater is quite pervasive... if you don't mind, how did you see that, what do think the repercussions were, and how do I change that.

    Thanks,

    Lokey
     
  6. mjack547

    mjack547 Malware Specialist

    Joined:
    Sep 1, 2003
    Messages:
    3,181
    By looking up the IP address is how we knew that it was University Of California San Diego External Networks
     
  7. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Enter those IP’s here = http://www.whois.sc/

    Fix this with HJT
    O21 - SSODL: OLE Automation Module - {3F143C3A-1457-6CCA-03A7-7AA23B61E40F} - (no file)
     
  8. lokey

    lokey Thread Starter

    Joined:
    Jun 23, 2003
    Messages:
    17
    Thanks for the help everybody,

    I just downloaded Spybot, and I have two listings for "Loadpowerprofile" in Startup. Spybot's info seems to indicate one or both are hijacks... hmm? What do ya'll say?




    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
    TaskMonitor = C:\WINDOWS\taskmon.exe
    SystemTray = SysTray.Exe
    CountrySelection = pctptt.exe
    C-Media Mixer = C:\Program Files\PCI Audio Applications\Mixer.exe /startup
    PCHealth = C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    WLAN_Cfg.exe = C:\Program Files\WUSB11 WLAN Monitor\WLAN_Cfg.exe
    HPDJ Taskbar Utility = C:\WINDOWS\SYSTEM\hpztsb04.exe
    BackgroundScheduler = C:\PROGRA~1\COMMON~1\WallData\Schedule\RRServer.exe
    AVG7_AMSVR = C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    SchedulingAgent = mstask.exe
    *StateMgr = C:\WINDOWS\System\Restore\StateMgr.exe

    --------------------------------------------------

    File association entry for .TXT:
    HKEY_CLASSES_ROOT\txtfile\shell\open\command

    (Default) = C:\WINDOWS\NOTEPAD.EXE %1

    --------------------------------------------------

    Load/Run keys from C:\WINDOWS\WIN.INI:

    load=ptsnoop.exe
    run=C:\WINDOWS\SYSTEM\cmmpu.exe

    --------------------------------------------------

    C:\WINDOWS\WININIT.BAK listing:
    (Created 3/2/2005, 8:22:24)

    [Rename]
    NUL=c:\windows\cookies\[email protected][2].txt

    --------------------------------------------------

    C:\AUTOEXEC.BAT listing:

    SET TEMP=C:\WINDOWS\TEMP
    SET TMP=C:\WINDOWS\TEMP
    SET windir=C:\WINDOWS
    SET winbootdir=C:\WINDOWS
    SET COMSPEC=C:\WINDOWS\COMMAND.COM
    SET PROMPT=$p$g
    SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND;C:\WINDOWS\SYSTEM;C:\Novell\Client32;C:\WINDOWS;C:\WINDOWS\COMMAND;C:\WINDOWS\SYSTEM;C:\Novell\Client32;C:\WINDOWS;C:\WINDOWS\COMMAND
    SET NWLANGUAGE=ENGLISH

    --------------------------------------------------

    C:\WINDOWS\WINSTART.BAT listing:

    C:\WINDOWS\tmpcpyis.bat

    --------------------------------------------------


    Enumerating Task Scheduler jobs:

    Tune-up Application Start.job
    Maintenance Wizard.job
    PCHealth Scheduler for Data Collection.job
    Disk Cleanup.job
    Disk Defragmenter.job
    ScanDisk.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    [Shockwave ActiveX Control]
    InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL
    AUHook: C:\WINDOWS\SYSTEM\AUHOOK.DLL

    --------------------------------------------------
    End of report, 4,753 bytes
    Report generated in 0.304 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only




    Danke,

    Lokey
     
  9. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Those are legit entries, post the latest log
     
  10. lokey

    lokey Thread Starter

    Joined:
    Jun 23, 2003
    Messages:
    17
    Hey SC,

    Should at least be better now! Here 'tis:



    Logfile of HijackThis v1.99.0
    Scan saved at 2:58:10 PM, on 2/15/2005
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\NOVELL\CLIENT32\NWRECMSG.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\PTSNOOP.EXE
    C:\WINDOWS\SYSTEM\CMMPU.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\PCI AUDIO APPLICATIONS\MIXER.EXE
    C:\PROGRAM FILES\WUSB11 WLAN MONITOR\WLAN_CFG.EXE
    C:\WINDOWS\SYSTEM\HPZTSB04.EXE
    C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
    C:\PROGRAM FILES\NETSCAPE\NETSCAPE\NETSCP.EXE
    C:\HIJACKTHIS!\HIJACKTHIS\HIJACKTHIS.EXE

    R3 - Default URLSearchHook is missing
    F1 - win.ini: load=ptsnoop.exe
    F1 - win.ini: run=C:\WINDOWS\SYSTEM\cmmpu.exe
    N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.vg.no/"); (C:\Program Files\Netscape\Users\andreas\prefs.js)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
    O4 - HKLM\..\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Mixer.exe /startup
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [WLAN_Cfg.exe] C:\Program Files\WUSB11 WLAN Monitor\WLAN_Cfg.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
    O4 - HKLM\..\Run: [BackgroundScheduler] C:\PROGRA~1\COMMON~1\WallData\Schedule\RRServer.exe
    O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .viv: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npviv32.dll
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 128.54.16.2,132.239.1.52,137.110.0.26



    Viel Dank,

    Lokey
     
  11. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    If it is no longer part of the campus network then you can remove that O17 entry, otherwise it looks fine
     
  12. lokey

    lokey Thread Starter

    Joined:
    Jun 23, 2003
    Messages:
    17
    SC,

    You were right on, now my web pages load up slick as sh**!

    Rock on,

    Lokey
     
  13. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/329852

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice