1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

hijackthis log post cleanup - sobig, win98

Discussion in 'Virus & Other Malware Removal' started by abbyk, Sep 14, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. abbyk

    abbyk Thread Starter

    Joined:
    Sep 14, 2003
    Messages:
    541
    Hi guys

    This is my 1st posting here :)

    after cleaning a friends pc - avg, spybot - i ran hijack this.
    One Sobig virus found & cleaned.
    Pc (P3 733 128 Mb) still seems sluggish - i think due to a lexmark & HP printer connected + will probably benefit from extra an 128mb ram.
    I believe the machine is clean of nasties now but would like to make sure

    Logfile of HijackThis v1.96.4
    Scan saved at 21:49:53, on 11/09/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\LEXMARKX84-X85\ACMONITOR_X84-X85.EXE
    C:\PROGRAM FILES\LEXMARKX84-X85\ACBTNMGR_X84-X85.EXE
    C:\WINDOWS\SYSTEM\PRINTRAY.EXE
    C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\BELKIN WIRELESS\BELKIN WIRELESS MOUSE\MOUSEAP.EXE
    C:\PROGRAM FILES\BELKIN WIRELESS\BELKIN WIRELESS KEYBOARD\MAGICKEY.EXE
    C:\PROGRAM FILES\BELKIN WIRELESS\BELKIN WIRELESS KEYBOARD\OSD.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    D:\SETUP APPS\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.superwebsearch.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.superwebsearch.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.superwebsearch.com/ie/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.crooder.com/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.superwebsearch.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.crooder.com/search/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.superwebsearch.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.ewebsearch.net/
    F1 - win.ini: run=hpfsched
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Lexmark X84-X85 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
    O4 - HKLM\..\Run: [Lexmark X84-X85 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
    O4 - HKLM\..\Run: [LexStart] Lexstart.exe
    O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [System Tray] C:\WINDOWS\TEMP\DOC_DETAILS.PIF
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - Startup: Enable Belkin Wireless Mouse Driver.lnk = C:\Program Files\Belkin Wireless\Belkin Wireless Mouse\MouseAp.exe
    O4 - Startup: Enable Belkin Wireless Keyboard Driver.lnk = C:\Program Files\Belkin Wireless\Belkin Wireless Keyboard\MagicKey.exe
    O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37840.1797685185
    O19 - User stylesheet: c:\windows\my.css

    -----------------------------------------
    Any feedback greatly appreciated

    abbyk
     
  2. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    hi abby.....
    run hijackthis again and put a checkmark against these entries....
    .....then,close all browser and outlook windows and "fix checked"

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.superwebsearch.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.superwebsearch.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.superwebsearch.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about :blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.crooder.com/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.superwebsearch.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.crooder.com/search/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.superwebsearch.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.ewebsearch.net/
    F1 - win.ini: run=hpfsched
    O4 - HKLM\..\Run: [System Tray] C:\WINDOWS\TEMP\DOC_DETAILS.PIF
    O19 - User stylesheet: c:\windows\my.css

    re-boot into safe mode(by tapping the f8 key as windows boots up) and delete:
    c:\windows\my.css
    C:\WINDOWS\TEMP\DOC_DETAILS.PIF

    that was the cause of the slowdown......I believe your machine is clear of nasties now;)
     
  3. VirtualMe

    VirtualMe

    Joined:
    Sep 27, 2002
    Messages:
    867
    A question $teve,

    Since the DOC_DETAILS.PIF that is showing in

    O4 - HKLM\..\Run: [System Tray] C:\WINDOWS\TEMP\DOC_DETAILS.PIF

    is one of the attachment names Sobig uses, is it just a reference left in the registry or is it something that is still in the C:\WINDOWS\TEMP folder?
     
  4. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    well spotted VM............i was just looking at the coolweb hijacks,i didnt even bother to check the log thinking "virus"
    it was just a quickie before dinner.

    abby add the above entry to the H/T "fix" list (in fact ill add it)

    and thanx Virtual;)
     
  5. VirtualMe

    VirtualMe

    Joined:
    Sep 27, 2002
    Messages:
    867
    You're welcome!
     
  6. abbyk

    abbyk Thread Starter

    Joined:
    Sep 14, 2003
    Messages:
    541
    $teve & VirtualMe, what can I say?

    You guys r stunning!

    Thanks 4 ur swift replies.

    I will carry out the suggestion as soon as I get back to this pc.

    Thought AVG would have cleaned properly, but obviously not.

    Thanks again - u have brightened several peoples' PC experience with this help. :p

    abbyk
     
  7. abbyk

    abbyk Thread Starter

    Joined:
    Sep 14, 2003
    Messages:
    541
    Hey,

    I just noticed u suggested remove
    F1 - win.ini: run=hpfsched

    I thought that was a HP printer software ?

    abbyk
     
  8. VirtualMe

    VirtualMe

    Joined:
    Sep 27, 2002
    Messages:
    867
    It is your choice on weither to remove it.

    By having Hijack This remove hpfsched from win.ini: run= , you are just keeping it from starting up automatically (you are not removing the hpfsched file its self). You just will not have a popup remind you to clean the cartridges in your DeskJet.

    Maybe these will explain, and help you decide.

    hpfsched is a legitimate HP program, but

    1. It can be a irritating popup

    2. Some trojans or hijacks can use it as a smoke screen and piggy back since there is a legitimate HP file by that name.

    Basically yours is probably legit, since you don't have any added lines behind it, as explained here, from the Symantec quote below.



    ======================================

    http://www.answersthatwork.com/Tasklist_pages/tasklist_h.htm

    Hpfsched
    HPFSched.exe

    (Hewlett-Packard)
    HPFSCHED.EXE is a background task which is installed by the drivers of some HP DeskJet printers (e.g. 660C, 670C, 680C, 690C, 720C). Its sole purpose is to remind you from time to time to clean the cartridges in your DeskJet so as to keep the print quality high. Most end-users find these popups extremely irritating and in that respect Epson have found a better compromise by implementing the cleaning of cartridges as an automatic hardware feature which kicks in at specific intervals of usage, as well as being something you can start manually.

    Recommendation :
    Disable or delete with Startup Manager.
    ==================================

    http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x31bb6af52b04d5118fef0090279cd0f9,00.html

    ====================================
    http://www.spywareinfo.com/~merijn/htlogtutorial.html#f

    ===================================
    http://www.symantec.com/avcenter/venc/data/trojan.horse.html

     
  9. abbyk

    abbyk Thread Starter

    Joined:
    Sep 14, 2003
    Messages:
    541
    Hey thanks VirtualMe

    I certainly will remove that "junk" startup ref. hpfsched

    Your explanation is excellent.

    I am learning stuff so quickly from u guys :D

    abbyk
     
  10. VirtualMe

    VirtualMe

    Joined:
    Sep 27, 2002
    Messages:
    867
    You are welcome!
     
  11. abbyk

    abbyk Thread Starter

    Joined:
    Sep 14, 2003
    Messages:
    541
    Hello again:)

    I just got off the phone to my friend. I advised him of the steps you suggested $teve.

    All went fine till we tried to delete C:\WINDOWS\TEMP\DOC_DETAILS.PIF
    it was not there ?

    However there was a file in use in C:\WINDOWS\TEMP\
    ZLT03d9f.tmp
    which would not delete - (obviously - not in safe mode)

    it did have todays date but after a reboot would still not delete

    ?????????? could be harmless :confused:

    I got him to send me a new hijack this log if you could check again

    Logfile of HijackThis v1.96.4
    Scan saved at 09:49:14, on 17/09/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\LEXMARKX84-X85\ACMONITOR_X84-X85.EXE
    C:\PROGRAM FILES\LEXMARKX84-X85\ACBTNMGR_X84-X85.EXE
    C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
    C:\PROGRAM FILES\BELKIN WIRELESS\BELKIN WIRELESS MOUSE\MOUSEAP.EXE
    C:\PROGRAM FILES\BELKIN WIRELESS\BELKIN WIRELESS KEYBOARD\MAGICKEY.EXE
    C:\PROGRAM FILES\BELKIN WIRELESS\BELKIN WIRELESS KEYBOARD\OSD.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    D:\SETUP APPS\HIJACKTHIS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Lexmark X84-X85 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
    O4 - HKLM\..\Run: [Lexmark X84-X85 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
    O4 - HKLM\..\Run: [LexStart] Lexstart.exe
    O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - Startup: Enable Belkin Wireless Mouse Driver.lnk = C:\Program Files\Belkin Wireless\Belkin Wireless Mouse\MouseAp.exe
    O4 - Startup: Enable Belkin Wireless Keyboard Driver.lnk = C:\Program Files\Belkin Wireless\Belkin Wireless Keyboard\MagicKey.exe
    O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37876.0890625


    Should i get him to safe mode to delete that temp file or is it ok ?

    AVG reports clear

    Big thanks 4 your help with this cleanup
    ;)
    abbyk
     
  12. VirtualMe

    VirtualMe

    Joined:
    Sep 27, 2002
    Messages:
    867
    Hi abbyk,



    I think ZLT(random numbers & letters).tmp are dropped by Zone Alarm. Not sure why.

    As a precaution, I just saved the one I had, to a floppy for now and was able to delete it.

    So far everything is running normal that I can tell.

    1. You may be able to delete it if you shut down Zone Alarm.
    or
    2. Rename it from ZLT03d9f.tmp to ZLT03d9f.txt
    or
    3. Right click on it and remove the check marks from the Attributes:
     
  13. abbyk

    abbyk Thread Starter

    Joined:
    Sep 14, 2003
    Messages:
    541
    thanks VirtualMe

    that sounds good

    I will check that and call the matter closed:cool:

    abbyk
     
  14. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    the log is clean and the .tmp file is safe to delete abby.

    ;)
     
  15. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/164713

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice