Help - Search - Members - Calendar
Full Version: Hijack This Log
Suggest A Fix PC Support Forums > Security > Malicious Code: Viruses, Trojans, Spyware and Browser HiJacking
liz1836
May 3 2005, 04:31 PM
I have a couple of things to ask for help. First I did a scan on HouseCall and found the following things.

TROJ_LOADER.D

TROJ_ISTBAR.CF

JS_NOCLOSE.E

I have not removed them yet. Do I just delete them or do I need to manually remove them?

Here is a post of the hijack this log for this machine. Could you please look it over and let me know what I need to do to clean it up. Thank you for your help.

Liz


Logfile of HijackThis v1.99.1
Scan saved at 6:23:46 PM, on 5/3/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\NOVELL\CLIENT32\NWRECMSG.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
F:\PUBLIC\CLNTRUST.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\DPMW32.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\CA\ETRUST\INOCULATEIT\REALMON.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
C:\PROGRAM FILES\AUTOUPDATE\AUTOUPDATE.EXE
C:\WINDOWS\SYSTEM\PIDTKPRP.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\PROGRAM FILES\MSWORKS\CALENDAR\WKCALREM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\CXTPLS\CXTPLS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ms101.mysearch.com/sa/srchlft.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.251:8080
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {4DFB3008-B415-0ABA-8722-6D5504F07C46} - C:\WINDOWS\SYSTEM\WZQ.DLL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\PROGRAM FILES\CXTPLS\CXTPLS.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\SYSTEM\dpmw32.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [q27f37O] PIDTKPRP.EXE
O4 - HKLM\..\RunServices: [Workstation Scheduler] C:\novell\client32\wm95.exe
O4 - HKLM\..\RunServices: [InoTask] C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
O4 - HKLM\..\RunServices: [InoRT] C:\Program Files\CA\eTrust\InoculateIT\InoRT9x.exe
O4 - HKLM\..\RunServices: [InoRPC] C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [b1opRXinh] OITINF16.EXE
O4 - Startup: GroupWise Notify.lnk = C:\NOVELL\GroupWise\Notify.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exteri...ior/Outside.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tr...Transporter.cab?

HKEd
May 3 2005, 08:42 PM
You have some nasties aboard, Liz.

Disable Teatimer before you start the cleanup. It will not allow the changes to the registry that HijackThis will make. You disable it with in Spybot S&D itself.

Run HijackThis and click on Config > Misc Tools > Open Process Manager. Highlight these in turn and click on Kill Process:

C:\PROGRAM FILES\AUTOUPDATE\AUTOUPDATE.EXE

C:\WINDOWS\SYSTEM\PIDTKPRP.EXE

C:\PROGRAM FILES\CXTPLS\CXTPLS.EXE

Run a HijackThis scan and put checks in the boxes next to these lines:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ms101.mysearch.com/sa/srchlft.html

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.251:8080 << If you don't use a proxy server

R3 - Default URLSearchHook is missing

02 - BHO: (no name) - {4DFB3008-B415-0ABA-8722-6D5504F07C46} - C:\WINDOWS\SYSTEM\WZQ.DLL (file missing)

O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\PROGRAM FILES\CXTPLS\CXTPLS.DLL

O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"

O4 - HKLM\..\Run: [q27f37O] PIDTKPRP.EXE

O4 - HKCU\..\Run: [b1opRXinh] OITINF16.EXE

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 << Did you set this yourself? It may be a TeaTimer setting.

Close all open windows except HijackThis and click on 'Fix checked'.

Reboot and hold down the Ctrl key as the system starts until you get a menu. Choose Safe Mode and press Enter.

In safe mode, make all files and folders visible:
QUOTE
    * Open My Computer.
    * Select the View menu and click Folder Options.
    * Select the View Tab.
    * In the Hidden files section select Show all files.
    * Click OK.

Search for and delete the following if found:

C:\PROGRAM FILES\TOOLBAR << Folder

C:\PROGRAM FILES\CXTPLS << Folder

C:\Program Files\AutoUpdate << Folder

PIDTKPRP.EXE

OITINF16.EXE

Update Spybot before you boot to safe mode and run it while there. You may need to install AdAware to cover all the bases, but we'll see how it goes.

Post back with a fresh HJT log after booting back to normal mode.
HKEd
May 3 2005, 09:18 PM
Instructions for disabling TeaTimer are here.
liz1836
May 4 2005, 04:54 PM
Okay I have deleted what you said. And we do use a proxy server. No I didn't set that for the following.
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 << Did you set this yourself? It may be a TeaTimer setting.


I am posting a new log for you to look at. Could you tell me what else we would need to do?

I also have another machine to look at since I have made improvements for this one. I have a problem though I could not get it to download highjackthis. I thought about putting it on a disk and installing it that way. I will try tomorrow.

Thanks for all of your help. I really appreciate it.

Liz


Logfile of HijackThis v1.99.1
Scan saved at 6:50:00 PM, on 5/4/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\NOVELL\CLIENT32\NWRECMSG.EXE
C:\NOVELL\CLIENT32\WM95.EXE
C:\PROGRAM FILES\CA\ETRUST\INOCULATEIT\INOTASK.EXE
C:\PROGRAM FILES\CA\ETRUST\INOCULATEIT\INORT9X.EXE
C:\PROGRAM FILES\CA\ETRUST\INOCULATEIT\INORPC.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
F:\PUBLIC\CLNTRUST.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\DPMW32.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\CA\ETRUST\INOCULATEIT\REALMON.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\NOVELL\GROUPWISE\NOTIFY.EXE
C:\PROGRAM FILES\MSWORKS\CALENDAR\WKCALREM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.251:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\SYSTEM\dpmw32.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\RunServices: [Workstation Scheduler] C:\novell\client32\wm95.exe
O4 - HKLM\..\RunServices: [InoTask] C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
O4 - HKLM\..\RunServices: [InoRT] C:\Program Files\CA\eTrust\InoculateIT\InoRT9x.exe
O4 - HKLM\..\RunServices: [InoRPC] C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: GroupWise Notify.lnk = C:\NOVELL\GroupWise\Notify.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exteri...ior/Outside.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tr...Transporter.cab?

HKEd
May 4 2005, 06:43 PM
That looks fine now, Liz.

You can copy HijackThis to a floppy disk and transfer it over to the other system. Please start a new thread for that one.
liz1836
May 4 2005, 08:38 PM
Thanks I'll do that.

Liz
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.