1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Pleas HiJack this

Discussion in 'Web & Email' started by LinderP401, Oct 6, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. LinderP401

    LinderP401 Thread Starter

    Joined:
    Jul 26, 2003
    Messages:
    52
    I have recently "cleaned" my computer. I believe everything is running pretty good, but want to make sure there isn't anything running or on here that need not be. Thanks in advance. I love this website!! Has helped tremendously with other issues I have had.


    Logfile of HijackThis v1.97.2
    Scan saved at 7:26:21 AM, on 10/6/2003
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\ISP50\BIN\BARTSHEL.EXE
    C:\PROGRAM FILES\ISP50\DIALER\DIALER.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\PROGRAM FILES\ISP50\BIN\PPSHARED.EXE
    C:\PROGRAM FILES\ISP50\BIN\BARTSHEL.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\HPZSTATX.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
    O2 - BHO: (no name) - {3DE88907-3E38-11D4-BEB2-CBE76C0598DD} - C:\PROGRAM FILES\ISP50\BIN\BANDOBJECT.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: AIM (HKLM)
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37866.5802430556
    O16 - DPF: {94742E3F-D9A1-4780-9A87-2FFA43655DA2} - http://akamai.downloadv3.com/binaries/DialHTML/EGDHTML_US_pack.cab
    O16 - DPF: {C1C2AC28-5E4B-4228-B7A0-05E986FFCE14} (TIBSLoader Class) - http://go-in-now.com/tl4000.dll
    O16 - DPF: {405BBF5B-2FD8-4614-AC51-D8566F635B94} (SafeWallet Class) - http://64.69.77.23/SafeCommon/downloads/WalletCab.CAB
     
  2. LinderP401

    LinderP401 Thread Starter

    Joined:
    Jul 26, 2003
    Messages:
    52
    I almost forgot, in my startup files, I had a an entry called system.dll checked, I unchecked, it appeared to be giving me problems. C:\WINDOWS\systemdll.exe. Can anyone tell me what this is. Although it is unchecked, it is still there-----thanks in advance
     
  3. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
  4. putasolution

    putasolution

    Joined:
    Mar 20, 2003
    Messages:
    4,823
    Mobo, you beat me to it ;)

    sytemdll.exe is a trojan.

    It would be worth updating your antivirus and doing a full scan
     
  5. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274

    Any idea why it isn't in the log ?
     
  6. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    Pay no mind as i see it was disabled by the user prior to logging from hjt...Yes please update you scanner and do a scan or do a scan here as well.
     
  7. LinderP401

    LinderP401 Thread Starter

    Joined:
    Jul 26, 2003
    Messages:
    52
    When that file first showed up, I updated virus protection and ran full scan, it did not show up, is it harmless as long as I don't have it checked in startup?? Thanks in advance.

    StartupList report, 10/6/2003, 8:12:59 AM
    StartupList version: 1.52
    Started from : C:\WINDOWS\TEMP\TD_0003.DIR\HIJACKTHIS.EXE
    Detected: Windows ME (Win9x 4.90.3000)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\ISP50\BIN\BARTSHEL.EXE
    C:\PROGRAM FILES\ISP50\DIALER\DIALER.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\PROGRAM FILES\ISP50\BIN\PPSHARED.EXE
    C:\PROGRAM FILES\ISP50\BIN\BARTSHEL.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\AIM95\AIM.EXE
    C:\WINDOWS\TEMP\TD_0003.DIR\HIJACKTHIS.EXE

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
    TaskMonitor = C:\WINDOWS\taskmon.exe
    Norton Auto-Protect = C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
    SystemTray = SysTray.Exe
    devldr16.exe = C:\WINDOWS\SYSTEM\devldr16.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    *StateMgr = C:\WINDOWS\System\Restore\StateMgr.exe
    SchedulingAgent = mstask.exe

    --------------------------------------------------

    C:\WINDOWS\WININIT.BAK listing:
    (Created 11/9/2003, 19:14:36)

    [rename]
    NUL=C:\PROGRA~1\COMMON~1\AOLSHARE\AOLUNI~1.EXE
    NUL=c:\PROGRA~1\COMMON~1\AOLSHARE\COACH\AOLCINUN.EXE
    DIRNUL=c:\PROGRA~1\COMMON~1\AOLSHARE\COACH

    --------------------------------------------------

    C:\AUTOEXEC.BAT listing:

    SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
    SET windir=C:\WINDOWS
    SET winbootdir=C:\WINDOWS
    SET COMSPEC=C:\WINDOWS\COMMAND.COM
    SET PROMPT=$p$g
    SET TEMP=C:\WINDOWS\TEMP
    SET TMP=C:\WINDOWS\TEMP

    --------------------------------------------------


    Enumerating Task Scheduler jobs:

    Tune-up Application Start.job
    PCHealth Scheduler for Data Collection.job
    Scan for Viruses.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [Update Class]
    InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37866.5802430556

    [SafeWallet Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\SAFEAA32.DLL
    CODEBASE = http://64.69.77.23/SafeCommon/downloads/WalletCab.CAB

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL
    UPnPMonitor: C:\WINDOWS\SYSTEM\UPNPUI.DLL
    AUHook: C:\WINDOWS\SYSTEM\AUHOOK.DLL

    --------------------------------------------------
    End of report, 3,784 bytes
    Report generated in 0.039 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  8. putasolution

    putasolution

    Joined:
    Mar 20, 2003
    Messages:
    4,823
    I would do a search for it, right click and delete it
     
  9. LinderP401

    LinderP401 Thread Starter

    Joined:
    Jul 26, 2003
    Messages:
    52
    I started to do that, but wasn't sure if it was attached to something that maybe I needed, thank you in advance.
     
  10. putasolution

    putasolution

    Joined:
    Mar 20, 2003
    Messages:
    4,823
    Go ahead and delete it
     
  11. LinderP401

    LinderP401 Thread Starter

    Joined:
    Jul 26, 2003
    Messages:
    52
    Thank you all so much for the help, i deleted systemdll, went ahead updated virus, ran full scan, everything ok. I proceeded to do the next part of the startup list on hijack this, I havn't heard anything about that, so I am assuming everything else is ok. I want to thank you all-------This website is very helpful
     
  12. LinderP401

    LinderP401 Thread Starter

    Joined:
    Jul 26, 2003
    Messages:
    52
    Almost forgot, am I supposed to run another scan, and post it here, or as long as I fix checked 3 lines i was told to, everything ok??
     
  13. putasolution

    putasolution

    Joined:
    Mar 20, 2003
    Messages:
    4,823
    Just those three items, then you'll be clean :D
     
  14. LinderP401

    LinderP401 Thread Starter

    Joined:
    Jul 26, 2003
    Messages:
    52
    Thank you all very much!!!!!!!!!!!
     
  15. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    Good Day
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/169856

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice