Need Help With HJT report

Computing.Net > Forums > Security and Virus > Need Help With HJT report

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

Need Help With HJT report

Name: jan7771
Date: January 21, 2004 at 19:50:04 Pacific
OS: XP Pro
CPU/Ram: 512mb

Comment:

I have been struggling to rid my PC of a few viruses and KeyLogger. Initially the viruses were:
Java/NoCheat.B Java/ClassLoader.E and ClassLoader.C . My antivirus program had been acting up for the week prior to problems.
I would run the program(AVG) and it would take forever to complete.
I assumed it was completing w/o any problems until I checked the Test Results and saw that none of the recent
checks had ever completed. I also use SpyBot and Adaware(both updated).
I removed the AVG and installed NOD32 instead which detected them.
I then found the MSIESH.DLL and MSHP.DLL files after reading some of the forum posts here. I was able to delete
the MSHP.DLL but XP(pro) wouldn't allow me to delete the MSIESH.DLL. But I did rename it.
I also ran HJT and deleted the mshp related files.
I installed and ran TrojanHunter and CWShredder.
I also added spywareblaster.
TrojanHunter found KLog.Pefect.147. It was deleted. Rebooted and reran everything.
While Trojan Hunter was running, NOD32 resident popped up and detected Nexus.A.trojan, myCYHpRW.exe, and plushk.dll.
I was not able to delete, quarantine or rename the first two, but I was able to rename plushk.dll
Now, when I run everything nothing shows up except NOD32's resident alerts as TrojanHunter is accessing the files when it runs it's check.
The last one remaining is TEMP\ryXKPl.exe, I've cleared the temp file but it seems to return.
I do have System Restore currently turned off, but it was on during the initial problem phase.
I fear that I may be overlooking something in my HJT report, could someone be kind enough to look at it advise me on what could still be problematic?
Thank you so much.
Logfile of HijackThis v1.96.4
Scan saved at 5:33:07 PM, on 1/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\PFWShared\cfgintpr.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\TPF4\umxagent.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Google\ggverscheck67-96.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\Documents and Settings\User1\Desktop\Part Magic\hijack\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/login?.src=ym&.v=0&.u=flvdeu100n825&.last=&promo=&.intl=us&.bypass=&.partner=&pkg=&stepid=&.done=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.yahoo.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AMonitor] C:\Program Files\TPF4\amon.exe
O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe"
O4 - HKLM\..\RunServices: [RunAlert] C:\Program Files\MSI\PC Alert III\AService.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O10 - Broken Internet access because of LSP provider 'imon.dll' missing
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://help.rr.com/Foundrysdccommon/download/tgctlar.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (OPUCatalog Class) - http://officebeta.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw/autobios/client/iftwclix.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/d2c89f68a1bb5a/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37878.1107638889
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Sponsored Link

Ads by Google

Response Number 1

Name: Imp
Date: January 21, 2004 at 20:23:48 Pacific

Reply:

Hello Jan,
I don't know what exactly you do with your computer, but I can say if you continue like this you will have a real problem.
When you start to configure it, first read about what you need, then choose programs which correspond exactly what you wish, and keep it.
Apparently, you seems now to be corrupted by many differents trojan's horses, they are not virus but smalls programs created to hijack your machine and steal vitals informations.
some trojan's horses are programed to neutralize all anti-virus and anti-trojans already installed in your system, that's mean maybe today none of your programs are able to work and perform correctly.
What you need now is to download a new clean program, and run it as soon as you open your computer, in order first to neutralize them, then to follow the directives to eradicate all the worms hidden somewhere in your hard drive.
Download and try Trojan Remover 6.15 this program is a freeware for one month, but fully updated. read well how to use the two scans: one for the memory, second one to scan your hard drive.... Good luck

Response Number 2

Name: dw226
Date: January 21, 2004 at 20:27:22 Pacific

Reply:

I see HijackThis in the wrong folder (unplugs his mouse).
Seriously though Jan, HijackThis needs its own folder in a permanent directory such as C:\Program Files in order to restore any backups it makes. As far as the rest of the log, I'm doing my research now.

Response Number 3

Name: dw226
Date: January 21, 2004 at 20:28:50 Pacific

Reply:

Nevermind, Imp has ya covered :-)

Response Number 4

Name: jan7771
Date: January 21, 2004 at 20:56:37 Pacific

Reply:

Thanks for the quick replies guys.
What in particular in the HJT log looks troublesome?
I'll move HJT to a different dir and install trojan remover again and run it.
I had it on my pc, but it never ran right so I removed it. Perhaps that was related to the problem(s) that you saw Imp.
I'll also run another HJT afterward(and after other progs stated earlier) and repost it here.
Thanks again!

Response Number 5

Name: blender
Date: January 21, 2004 at 23:06:25 Pacific

Reply:

Jan7771
In order for anyone to analyse your log properly and to prevent possible problems with the cleanup procedures...there is a newer version of Hijackthis out...it is now at version 1.97.7 It is recommended you download the newest version in its own directory like stated above, replace the version you have now, run a new scan and post the new log.
Some of your problems you may be having could be a result of having your antivirus running while scanning with trojan remover...there will be conflicts because both programs are trying to scan...trojan remover because you told it to and AVG because it is configured to scan in the background as files are accessed.
While running any of these scans including spybot, ad-aware, anti trojans, and online scans...temporarily disable your antivirus.
I would also try running these scans in safe mode as most trojans, spyware, viruses do not load in safe mode therefore windows is not using the files so they can be removed. (usually)
Reboot after each scan.
New HijackThis can be downloaded here:
http://www.merijn.org/downloads.html
Imp, dw226
Not trying to step on toes...just trying to add help.

sco Printer access test failed reset mbr dos chat	exact voor dos viewer reset dos pass cristel Report
See More

Response Number 6

Name: jan7771
Date: January 22, 2004 at 00:06:20 Pacific

Reply:

Thanks blender. I dl'd the newer version and re-ran everything with my antivirus(Nod32) turned off.
Below is my new HJT log:
Logfile of HijackThis v1.97.7
Scan saved at 2:02:56 AM, on 1/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\PFWShared\cfgintpr.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\TPF4\umxagent.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Google\ggverscheck67-96.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/login?.src=ym&.v=0&.u=flvdeu100n825&.last=&promo=&.intl=us&.bypass=&.partner=&pkg=&stepid=&.done=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.yahoo.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AMonitor] C:\Program Files\TPF4\amon.exe
O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe"
O4 - HKLM\..\RunServices: [RunAlert] C:\Program Files\MSI\PC Alert III\AService.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O10 - Broken Internet access because of LSP provider 'imon.dll' missing
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://help.rr.com/Foundrysdccommon/download/tgctlar.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (OPUCatalog Class) - http://officebeta.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw/autobios/client/iftwclix.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/d2c89f68a1bb5a/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37878.1107638889
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Response Number 7

Name: jan7771
Date: January 22, 2004 at 17:17:25 Pacific

Reply:

Imp, TR 6.15 refuses to install since I had the previous version before 6.12 and the trial time had expired.
All it will let me do is purchase the software.
Any ideas as to how to rid my registry of previous install so that it will allow me to run the newer version?
Thanks again.

Response Number 8

Name: blender
Date: January 22, 2004 at 19:34:57 Pacific

Reply:

jan7771
I'm still with you, I just got in from work...just checking a few entries that are difficult to find information on; not nesessarily bad I just want to be sure we dont make a mistake.
Is your internet provider Road Runner? And are you having problems with internet connection...like unable to access web pages, email, chat...that sort of thing?
How did the last round of scans go? any results?
I would not recommend trying to remove anything from registry unless you know what you are doing...you might disable your machine from starting..It is so easy to make a mistake, the registry is a very fragile place.
Can you go to this file:
C:\program files\google\ggverscheck67-96.exe
Right click on it> click properties> and tell me what it says please when you click each item in the list box that pops up?
Thanks!...I will get back to you as soon as I can with more information.

Response Number 9

Name: jan7771
Date: January 22, 2004 at 20:20:03 Pacific

Reply:

Hi Blender...
thanks for the reply.
My isp is rr.
the ggverscheck67-96.exe file is an Application file for Google's Deskbar
(which is wonderful, btw). I didn't see anything unusual in it's properties.
My pc is definitely acting different, slower and funkier.
I fear that the MBR has been affected. My AV software at the time stated that it had changed...which led me down this path. The last scans seemed to be better, no red alerts but many "unable to access this file" messages. They are MUCH slower than normal.
I ran the Maxtor HD's utility tests and it came back with:
Soft Reset Test:Passed
Drive Recall Test: Failed
Error Code:RO3
thanks again.

Sponsored Link

Ads by Google

open ports and norton fir...

Hijacked homepage http://...

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: Need Help With HJT report

need help with searchv.com

Summary

www.computing.net/answers/security/need-help-with-searchvcom/6859.html

Need help with HJT log

Summary

www.computing.net/answers/security/need-help-with-hjt-log/21355.html

Need Help With Hijack This! Logfile

Summary

www.computing.net/answers/security/need-help-with-hijack-this-logfile/10982.html

From the Geek Dictionary
ROFL - ROFL is an acronym used for Rolling On the Floor Laughing. Expresses great ...

Ask a Question!

Weekly Poll
Did you go shopping on Black Friday?

Poll Finishes In 4 Days.
Discuss in The Lounge
Poll History

Recent Posts
Graphics card malfunctioning

lan card not instaling

Printer status not available

Access is denied when using mapped drive

whats going on in the background?

All Awaiting Reply

Tom's News
Next Generation iPhone Spotted by Developers

Black Friday Brawls: Plenty Fought, No One Died

Couple Gets Married at Best Buy on Black Friday

Office 2010 Ships in 2010, Beta Now

Duke Nukem: D-Day Teased Not DNF

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE