hijack this results- plz analyze

greener · Apr 10, 2004

well my first post...here goes....during my startup process i get an error, it says that my MTASK.EXE file is corrupt and i need to reinstall it...now my question is, what does this program do- i understand that it is my task scheduler-, and is it essential that i have it on my computer?....i have done a search already and there is no question that is specific enuf, so any info would be much appreciated....now i am not sure if this has anything to do with that or not, but it may....i downloaded the stop-sign program, which detects viruses, trojans and worms,...well it detected them, and it showed that i had some trojans!... i am assuming that these trojans corrupted my files and one of them being my mtask file...is there any freeware out there which eliminates troajans from ur comp? or is there something else i must do?....thanks in advance!!!!

Cookiegal · Apr 10, 2004

Hi Greener and welcome to TSG,

You can start by following these instructions to downnload some programs to clean out stuff on your computer and then post a Hijack This scan log for the experts to take a look at for you.

AD-AWARE

Go here: http://www.lavasoftusa.com/support/download/
and download Ad-Aware 6 Build 181

Install the program and launch it.

First in the main window look in the bottom right-hand corner and click on Check for updates now and download the latest reference files.

Make sure the following settings are made and on -------ON=GREEN

From main window: Click Start then Activate in-depth scan (recommended)

Click Use custom scanning options then click Customize and have these options selected: Under Drives and Folders put a check by Scan within archives and below that under Memory and Registry put a check by all the options there.

Now click on the Tweak button in that same window. Under Scanning engine select Unload recognized processes during scanning and under Cleaning Engine select Let windows remove files in use at next reboot

Click proceed to save your settings.

Now to scan just click the Next button.

When the scan is finished mark everything for removal and get rid of it. (Right click the window and choose select all from the drop down menu and click Next)

Restart your computer

Download and run: SPYBOT SEARCH & DESTROY, here:

http://download.com.com/3000-2144-1...tml?tag=lst-0-1

Open Spybot Search & Destroy (Click Start, Programs, Spybot S&D (Advanced Mode). Click online, Search for updates, Download all available updates. Close all Browser windows, Click ''Check for Problems'', Put a check in every entry Spybot Search & Destroy flags with a red exclamation mark and click ''Fix Selected Problems'' , Then restart your computer.

Download both of these for added protection: SPYWAREBLASTER & SPYWAREGUARD, here:

http://www.javacoolsoftware.com/spywareblaster.html

Once you've done all that, download HIJACK THIS, scan and post the saved log here for an expert to take a look at as Im not qualified to analyze the log.

Please do this. Click here: http://www.sherrylynn.us/HijackThis.exe to download Hijack This. Save it to its own folder (not temporary files or the desktop).

Close all open windows and open HIJACK THIS. Click Scan. When the scan is finished (it only takes a second), the scan button will change to Save Log. Click on Save Log and save it to NotePad. Copy the entire log and paste it here.

DO NOT FIX ANYTHING YET, most items that appear in the log are harmless or even needed. Wait for someone to analyze the scan and advise.

Cookie

raybro · Apr 10, 2004

Hi greener... Perhaps you made typo in your post, but there is no legit file named mtask.exe. The IS a legit file named mstask.exe it's located in the C:\Windows\System folder. One little letter makes all the difference in tye world.

Best to go through the process described by Cookiegal so we can see just what you have on your system.

greener · Apr 10, 2004

i am on it...wow, great job on the play by play cookie!!!!..let u know when its all done!

greener · Apr 10, 2004

hey guys and gals....i did everything that cookiegal told me to do, and the final thing was to post this log here and an expert will analyze and instruct me what to do....so here it is!-

Logfile of HijackThis v1.97.7
Scan saved at 2:29:30 PM, on 04/10/2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\COMPAQ\INTERNET\ISDBDC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\NAV2003\ADVTOOLS\NPROTECT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\WINDOWS\ptsnoop.exe
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSUPD.EXE
C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
C:\PROGRAM FILES\COMMON FILES\EACCELERATION\EANTHOLOGY.EXE
C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\ALUNOTIFY.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ACCELERATION SOFTWARE\ANTI-VIRUS\DEFSCANGUI.EXE
C:\PROGRAM FILES\ACCELERATION SOFTWARE\SYSTEMPATCHER\SYS_ALERT.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\MY DOCUMENTS\HIJACK\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.ca/0SEENCA/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.officepools.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir.dll?s=consumer&LC=1009&c=1c00
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.officepools.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\NAV2003\NavShExt.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\NAV2003\NavShExt.dll
O3 - Toolbar: DashBar Toolbar - {CC90CDA0-74A0-45b4-80EF-D89CA8C249B8} - C:\PROGRAM FILES\DASHBAR\DASHBAR15.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LVComs] c:\windows\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [EM_EXEC] c:\MOUSE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NAV2003\CFGWIZ.EXE /R
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NPROTECT] C:\PROGRA~1\NAV2003\ADVTOOLS\NPROTECT.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SYSUPD.EXE
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [WebScan] C:\PROGRAM FILES\ACCELERATION SOFTWARE\ANTI-VIRUS\DEFSCANGUI.EXE -k
O4 - HKLM\..\Run: [eMailEncryption] C:\PROGRA~1\ACCELE~1\VELOZD~1\VELOZSYS.EXE runstart
O4 - HKLM\..\Run: [EanthologyApp] "C:\PROGRAM FILES\COMMON FILES\EACCELERATION\EANTHOLOGY.EXE" /b Startup
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CREATECD\CREATE~1.EXE -r
O4 - HKLM\..\Run: [eanth_critical_update_alert] "C:\PROGRAM FILES\ACCELERATION SOFTWARE\SYSTEMPATCHER\SYS_ALERT.EXE" /Startup
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [isdbdc] c:\compaq\internet\isdbdc.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [NPROTECT] C:\PROGRA~1\NAV2003\ADVTOOLS\NPROTECT.EXE
O4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37885.1924421296
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab

greener · Apr 10, 2004

thanks a bunch cookie!!....there were a few problems tho...1st, i could not delete everything as it said that some things were still being used, so i did a new scan at start up and it seemed to take care of the problem....2nd, i could not get the updates for the spybot, it would not respond when i tried!....3rd, as far as the spyware stuff, what are ur recommendations for the setup on my comp?...all in all everything went great!...and to reply to raybro- u were right, it is the mstask.exe file....what are ur suggestions to fix that?

greener · Apr 10, 2004

bump

Nok1 · Apr 10, 2004

Download Ad-Aware 6.181 from http://www.lavasoftusa.com/

Install the program, open it check to make sure you have the latest reference file by clicking on webupdate. Make sure that your reference file reads 01R280 07.04.2004 (or higher number/date). If it does not, then click here and install the file manually.

Make sure the following settings are turned to ON
-From the main window click on Start then Activate in-depth scan.
-Click on Use custom scanning options>Customize and make sure the following options are turned on:
Scan within archives
Scan active processes
Scan registry
Scan my IE Favorites for banned URL
Scan my host-files

Click on Settings and make sure the following are enabled:
Unload recognized processes during scanning

Click on Cleaning engine and make sure that Let windows remove files in use at next reboot is on.

Finally Click Proceed to save your settings.

Click on Scan Now from the main window and select Use Custom Scanning options and click scan.

When scan completes, remove all items, then run another scan but this time select the Perform Smart-System Scan option and then also remove all items it finds.

then

Download Spyboy S&D from this page

Open and install the program then click here and follow the instructions for updating the program. Download all available updates.

Run a scan by clicking on Spybot S&D and then clicking Search & Destroy and then Check for problems

When scan completes, remove all items in red by making sure that they are checked and then click Fix selected problems

Run an onlive AV scan from http://housecall.trendmicro.com/housecall/start_corp.asp.

Post another HJT log.

Cookiegal · Apr 10, 2004

Hi Greener,

Just wanted to point out that you should stick with the same thread. It gets confusing for the people who are trying to help to follow what's already been done, etc.

As far as Mstask.exe is concerned, that is a valid file, as Raybro pointed out so you don't want to fix that.

Also, as far as security settings goes, I suggest that you read this thread that Derek kindly started. It gives you lots of great tips for securing your computer.

Now, having saving that, I will ask that these two threads be combined over in Security.

Good luck with this,

Cookie

Cookiegal · Apr 10, 2004

I have requested that your two threads be combined, Greener.

As you can see, you should stick to the one thread as Nok1 has graciously offered to help but he didn't know that everything suggested has already been done, other than the on-line scan, which you can do.

The great guys and gals here at TSG will get you fixed up in no time.

Cookie

Nok1 · Apr 10, 2004

got it

Flrman1 · Apr 10, 2004

Threads combined. Please stick with one thread for this problem.

Cookiegal · Apr 10, 2004

Just realized I forgot to include the link to Derek's security tips thread, so here it is:

http://forums.techguy.org/t208517.html

Cookie

NiteHawk · Apr 10, 2004

Acceleration Software products are, in my opinion, one of the lowest forms of a scam on the internet. It is spyware that is posing as an anti-spyware product! Will it find spyware? Yes, it will find spyware from those that are NOT affiliated with them or those who have not given them a "contribution".

Personally I would go into add/remove programs and delete it and then follow up by deleting anything left over in C:\Program Files.

In Hijack This, check ALL of the following items. Double check so as to be sure not to miss a single one.
Next, close all browser Windows, and have HT fix all checked.

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O3 - Toolbar: DashBar Toolbar - {CC90CDA0-74A0-45b4-80EF-D89CA8C249B8} - C:\PROGRAM FILES\DASHBAR\DASHBAR15.DLL (file missing)

O4 - HKLM\..\Run: [LVComs] c:\windows\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SYSUPD.EXE
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup

O4 - HKLM\..\Run: [WebScan] C:\PROGRAM FILES\ACCELERATION SOFTWARE\ANTI-VIRUS\DEFSCANGUI.EXE ?k
Stop-Sign from eAccelerration. Detects spyware, malware, viruses and keyloggers and stops popups. Spyware in itself - see their privacy statement here

O4 - HKLM\..\Run: [eMailEncryption] C:\PROGRA~1\ACCELE~1\VELOZD~1\VELOZSYS.EXE runstart
O4 - HKLM\..\Run: [EanthologyApp] "C:\PROGRAM FILES\COMMON FILES\EACCELERATION\EANTHOLOGY.EXE" /b Startup
O4 - HKLM\..\Run: [eanth_critical_update_alert] "C:\PROGRAM FILES\ACCELERATION SOFTWARE\SYSTEMPATCHER\SYS_ALERT.EXE" /Startup

Next reboot into Safe Mode and remove the following files and folders that are bolded

C:\WINDOWS\SYSUPD.EXE

See here http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406 for how to start in safe mode if you don't know how.

Reboot into normal mode

Now download Spybot - Search & Destroy (if you haven't got the program installed already)

After installing, first press Online, and search for, put a check mark at, and install all updates.

Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove/fix all it finds that are in RED

Reboot

Last, run HJT again and post your log again to see if anything was missed.

Thanks

greener · Apr 10, 2004

already done all that good stuff!!! ....nothing found~!

Log in or Sign up

hijack this results- plz analyze

greener Thread Starter

Cookiegal Administrator Malware Specialist Coordinator

raybro

greener Thread Starter

greener Thread Starter

greener Thread Starter

greener Thread Starter

Nok1

Cookiegal Administrator Malware Specialist Coordinator

Cookiegal Administrator Malware Specialist Coordinator

Nok1

Flrman1

Cookiegal Administrator Malware Specialist Coordinator

NiteHawk

greener Thread Starter

Sponsor

Welcome to Tech Support Guy!

New Laptop plagued by browser hijacker....help!

In Progress Please help, trying to figure out hijack

New Possible hijacking of my PC by some nefarious people

Log in or Sign up

hijack this results- plz analyze

greener Thread Starter

Cookiegal Administrator Malware Specialist Coordinator

raybro

greener Thread Starter

greener Thread Starter

greener Thread Starter

greener Thread Starter

Nok1

Cookiegal Administrator Malware Specialist Coordinator

Cookiegal Administrator Malware Specialist Coordinator

Nok1

Flrman1

Cookiegal Administrator Malware Specialist Coordinator

NiteHawk

greener Thread Starter

Sponsor

Welcome to Tech Support Guy!

New Laptop plagued by browser hijacker....help!

In Progress Please help, trying to figure out hijack

New Possible hijacking of my PC by some nefarious people

Useful Searches