1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

HijackThis Log

Discussion in 'Virus & Other Malware Removal' started by jennifer_g, Apr 22, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. jennifer_g

    jennifer_g Thread Starter

    Joined:
    Apr 21, 2004
    Messages:
    18
    I just realized I've been posting my problems in the wrong forum. Sorry mods! :eek:

    My problem was ad/spyware and trojans that wouldn't go away. My antivirus program was going crazy when I'd open IE and anytime I'd click the IE search box it would notify me of a trojan it couldn't remove. I would go in and manually remove the trojan(called Exploit) but it would come right back as soon as I launched my browser. I was also having scrolling and typing problems. After browsing through the forum I downloaded Spybot and ran that in addition to the Ad-Aware I had already been using. That still didn't get rid of it. I then downloaded CWShredder and ran that. I rebooted and it finally let me open IE without crashing or going crazy. The search box problem seems to be fixed now to.

    I ran HijackThis again and thought I'd post an updated log so someone could help me see if I've gotten it all.

    Here's the log:

    Logfile of HijackThis v1.97.7
    Scan saved at 1:59:24 AM, on 4/22/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\VETMSG9X.EXE
    C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\VETTRAY.EXE
    C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ FIREWALL\CA.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\DBC16GTO.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPLAYER.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
    R3 - Default URLSearchHook is missing
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\zpfuz2pv.slt\prefs.js)
    O2 - BHO: Clear Search - {00000000-0000-0000-0000-000000000240} - C:\PROGRAM FILES\CLEARSEARCH\IE_CLRSCH.DLL (file missing)
    O2 - BHO: (no name) - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll (file missing)
    O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - (no file)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Vet Alert] C:\WINDOWS\System\VetMsg9x.exe
    O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VETTRAY.EXE
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\ca.exe
    O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
    O4 - HKLM\..\Run: [DBC16GTO] C:\WINDOWS\SYSTEM\DBC16GTO.exe
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O16 - DPF: {4248083C-9656-11D2-8B7F-00105A17847A} - http://downloads.mplayer.com/HearMeAutoInstaller.exe
    O16 - DPF: {E4B48560-123D-11d3-A73F-0060083E64FF} (Communities.com TPV Support) - http://www.thepalace.com/TPV/CC_SUPPORT.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
    O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4290/mcfscan.cab
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38097.8784837963
    O19 - User stylesheet: (file missing)


    TIA!
     
  2. stillearning

    stillearning

    Joined:
    Mar 15, 2004
    Messages:
    389
    Hi :D . Unzip HJT into it's own permanent folder before doing anything in order for it to create backups. (Not a temporary folder & not on the desktop). Close all (browser) windows & have HJT fix these entries by placing a check in the appropriate box=

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R3 - Default URLSearchHook is missing

    O2 - BHO: Clear Search - {00000000-0000-0000-0000-000000000240} - C:\PROGRAM FILES\CLEARSEARCH\IE_CLRSCH.DLL (file missing)
    O2 - BHO: (no name) - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll (file missing)
    O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - (no file)

    O3 - Toolbar: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll (file missing)

    04 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
    O4 - HKLM\..\Run: [DBC16GTO] C:\WINDOWS\SYSTEM\DBC16GTO.exe

    O19 - User stylesheet: (file missing)

    Reboot into safe mode following the instructions here & navigate to & delete

    C:\PROGRAM FILES\CLEARSEARCH< this one
    C:\Program Files\QuickSearch< this one
    C:\WINDOWS\BXXS5.DLL< this one
    C:\WINDOWS\SYSTEM\DBC16GTO.exe< this one

    Reboot normally after doing the above then post a fresh log plz.
     
  3. jennifer_g

    jennifer_g Thread Starter

    Joined:
    Apr 21, 2004
    Messages:
    18
    Sorry to sound stupid but I'm not sure what you mean by unzip HJT into it's own file. HJT downloaded as an exe. I'm not sure how to move it from Desktop. :confused:
     
  4. jennifer_g

    jennifer_g Thread Starter

    Joined:
    Apr 21, 2004
    Messages:
    18
    Nevermind my above question. I zipped it and then extracted it to Program Files. :)
     
  5. stillearning

    stillearning

    Joined:
    Mar 15, 2004
    Messages:
    389
    Provided that HijackThis is in it's own folder that's fine, otherwise you will have backups scattered everywhere. Generally one creates a new folder then extract hijackthis to there.
     
  6. jennifer_g

    jennifer_g Thread Starter

    Joined:
    Apr 21, 2004
    Messages:
    18
    I followed your instructions but none of the programs you told me to delete in safe mode were there. I made sure it was showing hidden files as well. There was a folder in C:/Windows titled bsx32 that seemed suspicious though. The files inside were labeled like cars.bsx, insur.bsx, etc. Is that ad/spyware?

    Here is the updated log:
    Logfile of HijackThis v1.97.7
    Scan saved at 12:19:47 AM, on 4/22/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\VETMSG9X.EXE
    C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\VETTRAY.EXE
    C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ FIREWALL\CA.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\UNGLEJ.EXE
    C:\HIJACKTHIS.EXE
    C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\AUTODOWN.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\zpfuz2pv.slt\prefs.js)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Vet Alert] C:\WINDOWS\System\VetMsg9x.exe
    O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VETTRAY.EXE
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\ca.exe
    O4 - HKLM\..\Run: [ungleJ] C:\WINDOWS\SYSTEM\ungleJ.exe
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O16 - DPF: {4248083C-9656-11D2-8B7F-00105A17847A} - http://downloads.mplayer.com/HearMeAutoInstaller.exe
    O16 - DPF: {E4B48560-123D-11d3-A73F-0060083E64FF} (Communities.com TPV Support) - http://www.thepalace.com/TPV/CC_SUPPORT.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
    O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4290/mcfscan.cab
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38097.8784837963


    Something seems wrong with the running processes list. I don't know what some of those are.
     
  7. stillearning

    stillearning

    Joined:
    Mar 15, 2004
    Messages:
    389
    That bsx32 folder appears to be associated with some spyware. delete the contents of that folder, then the folder itself. then search for this file bsx32.ini & delete it if found.

    You still need to put hijackthis into it's folder or you will end up with backups spread out everywhere. Create a new folder in My Documents & close Hijackthis, then drag HijackThis.exe into that folder.

    Close all (browser) windows & have HJT fix these entries by placing a check in the appropriate box=

    O4 - HKLM\..\Run: [ungleJ] C:\WINDOWS\SYSTEM\ungleJ.exe

    Go here for an on-line scan & set it to autoclean for you.
     
  8. jennifer_g

    jennifer_g Thread Starter

    Joined:
    Apr 21, 2004
    Messages:
    18
    For some reason this one only shows up on the saved log. When I run the scan and look for it to check the box, it's not there.


    I put HJT in it's own folder. I also ran that online scan. It found and deleted 1 malware and 4 infected files. All infected files looked to be trojans. My VS which I just updated and ran today must not be working well. *sighs*

    With those infected files gone do you want me to post another HJT log?
     
  9. stillearning

    stillearning

    Joined:
    Mar 15, 2004
    Messages:
    389
    Another log wouldn't hurt just to be sure that you are clean.
     
  10. jennifer_g

    jennifer_g Thread Starter

    Joined:
    Apr 21, 2004
    Messages:
    18
    Here's an updated HJT log:

    Logfile of HijackThis v1.97.7
    Scan saved at 4:55:10 AM, on 4/22/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\VETMSG9X.EXE
    C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\VETTRAY.EXE
    C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ FIREWALL\CA.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\MY DOCUMENTS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\zpfuz2pv.slt\prefs.js)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Vet Alert] C:\WINDOWS\System\VetMsg9x.exe
    O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VETTRAY.EXE
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\ca.exe
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O16 - DPF: {4248083C-9656-11D2-8B7F-00105A17847A} - http://downloads.mplayer.com/HearMeAutoInstaller.exe
    O16 - DPF: {E4B48560-123D-11d3-A73F-0060083E64FF} (Communities.com TPV Support) - http://www.thepalace.com/TPV/CC_SUPPORT.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
    O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4290/mcfscan.cab
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38097.8784837963
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7d90ae05585062/housecall.antivirus.com/housecall/xscan53.cab
     
  11. stillearning

    stillearning

    Joined:
    Mar 15, 2004
    Messages:
    389
    your ok now.
     
  12. jennifer_g

    jennifer_g Thread Starter

    Joined:
    Apr 21, 2004
    Messages:
    18
    Thank you for all of your help! :)
     
  13. stillearning

    stillearning

    Joined:
    Mar 15, 2004
    Messages:
    389
    You are very welcome.
     
  14. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/222828

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice