1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

hijackthis log help needed

Discussion in 'Earlier Versions of Windows' started by paw5kids, Apr 23, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. paw5kids

    paw5kids Thread Starter

    Joined:
    Jun 4, 2003
    Messages:
    7
    Hi all!
    I am needing some help with my hijackthis log. I am not able to figure out what needs to go and what should stay. :rolleyes:
    Any and all help would be much appreciated!!
    Here's the log:

    Logfile of HijackThis v1.97.7
    Scan saved at 11:41:17 AM, on 4/23/04
    Platform: Windows 98 Gold (Win9x 4.10.1998)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
    C:\WINDOWS\SYSUPD.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\WINDOWS\TEMP\K0S.EXE
    C:\WINDOWS\TEMP\Z6V.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\NIKON\NKVIEW5\NKVMON.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\TEMP\HIJACKTHIS.EXE

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mybc.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by telus.net®
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SYSUPD.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [IGHTSL] C:\WINDOWS\SYSTEM\IGHTSL.exe
    O4 - HKLM\..\Run: [K0s] C:\WINDOWS\TEMP\K0S.EXE
    O4 - HKLM\..\Run: [Z6v] C:\WINDOWS\TEMP\Z6V.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet
    O4 - HKCU\..\Run: [WNST] C:\WINDOWS\SYSTEM\wnsapicc.exe
    O4 - Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView5\NkvMon.exe
    O4 - Startup: PowerReg Scheduler.exe
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: AIM (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.mybc.com
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37592.7003356482
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/download/kdx.cab
    O16 - DPF: ChatSpace Java Client 2.1.0.95 - http://www.suzannesomers.com:8000/Java/cs4ms095.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/0900062e99cb2ba7a516/netzip/RdxIE601.cab

    I had some problems with spyware so I have been using CWShredder and adaware but I notice there are a couple of things I have not noticed before, these two in particular are ones I know nothing about:
    C:\WINDOWS\TEMP\K0S.EXE
    C:\WINDOWS\TEMP\Z6V.EXE

    A few times over the last couple of days I get a window popping up saying that the K0S thing has had a problem (can't think of the exact wording in the window :( sorry) and then it says it has to shut down.

    And then things like the suzanne somers and the gamespot that I see in this log? I don't go to either of those sites so I don't know why they are showing up. My kids play some games but mostly ones from cd roms. The only things I use daily are the instant messangers, yahoo, aim and msn messanger.

    Thanks for any help!!
     
  2. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    First thing would be to redownload hijack and save it into its own folder. This way whatever is deleted will have a backup to reinstall from should it need be..
    Then from that new hijack in its own folder Rescan and put a check next to each of these then close all browser windows and click "fix checked"

    R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)

    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

    O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SYSUPD.EXE

    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

    O4 - HKLM\..\Run: [IGHTSL] C:\WINDOWS\SYSTEM\IGHTSL.exe

    O4 - HKLM\..\Run: [K0s] C:\WINDOWS\TEMP\K0S.EXE

    O4 - HKLM\..\Run: [Z6v] C:\WINDOWS\TEMP\Z6V.EXE

    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

    O4 - HKCU\..\Run: [WNST] C:\WINDOWS\SYSTEM\wnsapicc.exe

    O16 - DPF: ChatSpace Java Client 2.1.0.95 - http://www.suzannesomers.com:8000/Java/cs4ms095.cab


    Then reboot into safe mode and delete:
    C:\WINDOWS\SYSUPD.EXE
    C:\WINDOWS\TEMP\K0S.EXE
    C:\WINDOWS\TEMP\Z6V.EXE
     
  3. paw5kids

    paw5kids Thread Starter

    Joined:
    Jun 4, 2003
    Messages:
    7
    Thanks for the info!
    I am going to have to print this out somewhere and then try it. My printer isn't working right now so I will have to wait.
    So are these three:
    C:\WINDOWS\SYSUPD.EXE
    C:\WINDOWS\TEMP\K0S.EXE
    C:\WINDOWS\TEMP\Z6V.EXE

    bad news??

    I have panda activescan running right now, it says it's picked up 14 infected files already. :(
    Computers! Can't live with them, but you sure as heck can't live without them! LOL
     
  4. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    Yes bad news and repost a fresh log when you are finished scanning as well.
     
  5. paw5kids

    paw5kids Thread Starter

    Joined:
    Jun 4, 2003
    Messages:
    7
    Here is an updated hijackthis log since I deleted the items you mentioned BUT I couldn't seem to find the:

    C:\WINDOWS\SYSUPD.EXE
    C:\WINDOWS\TEMP\K0S.EXE
    C:\WINDOWS\TEMP\Z6V.EXE

    when I rebooted in safe mode to delete them? Could it be one of my spyware or something already got rid of them?

    Logfile of HijackThis v1.97.7
    Scan saved at 11:15:19 PM, on 4/26/04
    Platform: Windows 98 Gold (Win9x 4.10.1998)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\PROGRAM FILES\NIKON\NKVIEW5\NKVMON.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mybc.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by telus.net®
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet
    O4 - Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView5\NkvMon.exe
    O4 - Startup: PowerReg Scheduler.exe
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: AIM (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.mybc.com
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37592.7003356482
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/download/kdx.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/0900062e99cb2ba7a516/netzip/RdxIE601.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab



    The one thing I am wondering about on this list is:
    O3 - Toolbar: &Radio
    What is that? I don't use a toolbar or radio so is this something I can get rid of?

    On Friday we will be switching from high speed dsl back over to dial up so I am hoping to get as much cleaned up as I can to try and help keep whatever speed I can after the switch. Is there anything here that I could do to help things along?
     
  6. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    Thats a clean log now.
     
  7. paw5kids

    paw5kids Thread Starter

    Joined:
    Jun 4, 2003
    Messages:
    7
    Great! Thank you for your help mobo!!!!
     
  8. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/223230

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice