hijackthis log post cleanup - sobig, win98

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

abbyk

Thread Starter
Joined
Sep 14, 2003
Messages
541
Hi guys

This is my 1st posting here :)

after cleaning a friends pc - avg, spybot - i ran hijack this.
One Sobig virus found & cleaned.
Pc (P3 733 128 Mb) still seems sluggish - i think due to a lexmark & HP printer connected + will probably benefit from extra an 128mb ram.
I believe the machine is clean of nasties now but would like to make sure

Logfile of HijackThis v1.96.4
Scan saved at 21:49:53, on 11/09/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\LEXMARKX84-X85\ACMONITOR_X84-X85.EXE
C:\PROGRAM FILES\LEXMARKX84-X85\ACBTNMGR_X84-X85.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\BELKIN WIRELESS\BELKIN WIRELESS MOUSE\MOUSEAP.EXE
C:\PROGRAM FILES\BELKIN WIRELESS\BELKIN WIRELESS KEYBOARD\MAGICKEY.EXE
C:\PROGRAM FILES\BELKIN WIRELESS\BELKIN WIRELESS KEYBOARD\OSD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
D:\SETUP APPS\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.superwebsearch.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.superwebsearch.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.superwebsearch.com/ie/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.crooder.com/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.superwebsearch.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.crooder.com/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.superwebsearch.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.ewebsearch.net/
F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Lexmark X84-X85 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
O4 - HKLM\..\Run: [Lexmark X84-X85 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [System Tray] C:\WINDOWS\TEMP\DOC_DETAILS.PIF
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - Startup: Enable Belkin Wireless Mouse Driver.lnk = C:\Program Files\Belkin Wireless\Belkin Wireless Mouse\MouseAp.exe
O4 - Startup: Enable Belkin Wireless Keyboard Driver.lnk = C:\Program Files\Belkin Wireless\Belkin Wireless Keyboard\MagicKey.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37840.1797685185
O19 - User stylesheet: c:\windows\my.css

-----------------------------------------
Any feedback greatly appreciated

abbyk
 
Joined
Oct 9, 2001
Messages
9,396
hi abby.....
run hijackthis again and put a checkmark against these entries....
.....then,close all browser and outlook windows and "fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.superwebsearch.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.superwebsearch.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.superwebsearch.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about :blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.crooder.com/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.superwebsearch.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.crooder.com/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.superwebsearch.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.ewebsearch.net/
F1 - win.ini: run=hpfsched
O4 - HKLM\..\Run: [System Tray] C:\WINDOWS\TEMP\DOC_DETAILS.PIF
O19 - User stylesheet: c:\windows\my.css

re-boot into safe mode(by tapping the f8 key as windows boots up) and delete:
c:\windows\my.css
C:\WINDOWS\TEMP\DOC_DETAILS.PIF

that was the cause of the slowdown......I believe your machine is clear of nasties now;)
 
Joined
Sep 27, 2002
Messages
867
A question $teve,

Since the DOC_DETAILS.PIF that is showing in

O4 - HKLM\..\Run: [System Tray] C:\WINDOWS\TEMP\DOC_DETAILS.PIF

is one of the attachment names Sobig uses, is it just a reference left in the registry or is it something that is still in the C:\WINDOWS\TEMP folder?
 
Joined
Oct 9, 2001
Messages
9,396
well spotted VM............i was just looking at the coolweb hijacks,i didnt even bother to check the log thinking "virus"
it was just a quickie before dinner.

abby add the above entry to the H/T "fix" list (in fact ill add it)

and thanx Virtual;)
 

abbyk

Thread Starter
Joined
Sep 14, 2003
Messages
541
$teve & VirtualMe, what can I say?

You guys r stunning!

Thanks 4 ur swift replies.

I will carry out the suggestion as soon as I get back to this pc.

Thought AVG would have cleaned properly, but obviously not.

Thanks again - u have brightened several peoples' PC experience with this help. :p

abbyk
 

abbyk

Thread Starter
Joined
Sep 14, 2003
Messages
541
Hey,

I just noticed u suggested remove
F1 - win.ini: run=hpfsched

I thought that was a HP printer software ?

abbyk
 
Joined
Sep 27, 2002
Messages
867
It is your choice on weither to remove it.

By having Hijack This remove hpfsched from win.ini: run= , you are just keeping it from starting up automatically (you are not removing the hpfsched file its self). You just will not have a popup remind you to clean the cartridges in your DeskJet.

Maybe these will explain, and help you decide.

hpfsched is a legitimate HP program, but

1. It can be a irritating popup

2. Some trojans or hijacks can use it as a smoke screen and piggy back since there is a legitimate HP file by that name.

Basically yours is probably legit, since you don't have any added lines behind it, as explained here, from the Symantec quote below.

The Trojan can add lines, such as load=c:\windows\temp\pkg2350.exe or run=hpfsched <blank spaces> msrexe.exe. (In this example, hpfsched is a legitimate program, but msrexe.exe is part of the Trojan.)


======================================

http://www.answersthatwork.com/Tasklist_pages/tasklist_h.htm

Hpfsched
HPFSched.exe

(Hewlett-Packard)
HPFSCHED.EXE is a background task which is installed by the drivers of some HP DeskJet printers (e.g. 660C, 670C, 680C, 690C, 720C). Its sole purpose is to remind you from time to time to clean the cartridges in your DeskJet so as to keep the print quality high. Most end-users find these popups extremely irritating and in that respect Epson have found a better compromise by implementing the cleaning of cartridges as an automatic hardware feature which kicks in at specific intervals of usage, as well as being something you can start manually.

Recommendation :
Disable or delete with Startup Manager.
==================================

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x31bb6af52b04d5118fef0090279cd0f9,00.html

HPFSCHED is a small TSR that will remind you to clean the cartridges in your DeskJet from time to time in order to keep print quality high.

It can be removed from the run line in win.ini if you do not want that feature.

Hope this helps!
====================================
http://www.spywareinfo.com/~merijn/htlogtutorial.html#f

HijackThis log tutorial
What's good and what's bad?


What it looks like:
F0 - system.ini: Shell=Explorer.exe Openme.exe
F1 - win.ini: run=hpfsched

What to do:
The F0 items are always bad, so fix them.
The F1 items are usually very old programs that are safe, so you should find some more info on the filename to see if it's good or bad.
===================================
http://www.symantec.com/avcenter/venc/data/trojan.horse.html

4. Removing any references to the infected files added to the Win.ini and System.ini files

NOTES (For Windows Me users only):
The instructions in this section apply to users of Windows 95/98/Me systems only. It is not necessary to follow these instructions if you are running Windows NT/2000/XP.
Due to the file-protection process in Windows Me, there is a backup copy of the file that you need to edit in the C:\Windows\Recent folder. We recommend that you delete this file before continuing with the steps in this section. To do so using Windows Explorer, go to the C:\Windows\Recent folder, and in the right pane delete the Win.ini file. The Win.ini file will be regenerated as a copy of the file that you need to edit when you save your changes to it.
Click Start, and then click Run.

Type the following:

edit c:\windows\win.ini

And then click OK. (The MS-DOS Editor opens.)

NOTE: If Windows is installed in a different location, make the appropriate path substitution.

CAUTION: The steps that follow instruct you to remove text from the load= and run= lines of the Win.ini file. If you are using older programs, they may load at startup from one of these lines. The Trojan can add lines, such as load=c:\windows\temp\pkg2350.exe or run=hpfsched <blank spaces> msrexe.exe. (In this example, hpfsched is a legitimate program, but msrexe.exe is part of the Trojan.)
 

abbyk

Thread Starter
Joined
Sep 14, 2003
Messages
541
Hey thanks VirtualMe

I certainly will remove that "junk" startup ref. hpfsched

Your explanation is excellent.

I am learning stuff so quickly from u guys :D

abbyk
 

abbyk

Thread Starter
Joined
Sep 14, 2003
Messages
541
Hello again:)

I just got off the phone to my friend. I advised him of the steps you suggested $teve.

All went fine till we tried to delete C:\WINDOWS\TEMP\DOC_DETAILS.PIF
it was not there ?

However there was a file in use in C:\WINDOWS\TEMP\
ZLT03d9f.tmp
which would not delete - (obviously - not in safe mode)

it did have todays date but after a reboot would still not delete

?????????? could be harmless :confused:

I got him to send me a new hijack this log if you could check again

Logfile of HijackThis v1.96.4
Scan saved at 09:49:14, on 17/09/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\LEXMARKX84-X85\ACMONITOR_X84-X85.EXE
C:\PROGRAM FILES\LEXMARKX84-X85\ACBTNMGR_X84-X85.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\PROGRAM FILES\BELKIN WIRELESS\BELKIN WIRELESS MOUSE\MOUSEAP.EXE
C:\PROGRAM FILES\BELKIN WIRELESS\BELKIN WIRELESS KEYBOARD\MAGICKEY.EXE
C:\PROGRAM FILES\BELKIN WIRELESS\BELKIN WIRELESS KEYBOARD\OSD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
D:\SETUP APPS\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Lexmark X84-X85 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
O4 - HKLM\..\Run: [Lexmark X84-X85 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - Startup: Enable Belkin Wireless Mouse Driver.lnk = C:\Program Files\Belkin Wireless\Belkin Wireless Mouse\MouseAp.exe
O4 - Startup: Enable Belkin Wireless Keyboard Driver.lnk = C:\Program Files\Belkin Wireless\Belkin Wireless Keyboard\MagicKey.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37876.0890625


Should i get him to safe mode to delete that temp file or is it ok ?

AVG reports clear

Big thanks 4 your help with this cleanup
;)
abbyk
 
Joined
Sep 27, 2002
Messages
867
Hi abbyk,



I think ZLT(random numbers & letters).tmp are dropped by Zone Alarm. Not sure why.

As a precaution, I just saved the one I had, to a floppy for now and was able to delete it.

So far everything is running normal that I can tell.

1. You may be able to delete it if you shut down Zone Alarm.
or
2. Rename it from ZLT03d9f.tmp to ZLT03d9f.txt
or
3. Right click on it and remove the check marks from the Attributes:
 

abbyk

Thread Starter
Joined
Sep 14, 2003
Messages
541
thanks VirtualMe

that sounds good

I will check that and call the matter closed:cool:

abbyk
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top