|
| ||
| I need advice with my HijackThis log Hello, I too had my IE 6.0 browser hijacked and have been experiencing some annoying slow system. I have scanned my Win 98 computer with Ad-ware SE and Spybot S&D. They found some cookies and some registry keys from Windows Media Player but didn't solve anything. I also made an online scanning at a site I read about on this forum. I need to know which entries from this log I have to delete: Logfile of HijackThis v1.99.0 Scan saved at 0.48.50, on 25/01/05 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\SYSTEM\MDM.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\PROGRAMMI\CYBERLINK DVD SOLUTION\POWERDVD\PDVDSERV.EXE C:\PROGRAMMI\AHEAD\INCD\INCD.EXE C:\WINDOWS\JGRMLFS.EXE C:\PROGRAMMI\SYMANTEC\WINFAX\WFXCTL32.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\PROGRAMMI\SYMANTEC\WINFAX\WFXMOD32.EXE C:\HIJACKTHIS\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://dr-search4u.com/sp.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://dr-search4u.com/index.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dr-search4u.com/index.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://dr-search4u.com/sp.htm R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://dr-search4u.com/index.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMMI\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [Rscmpt] C:\WINDOWS\SYSTEM\Rscmpt.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime O4 - HKLM\..\Run: [IrMon] IrMon.exe O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE O4 - HKLM\..\Run: [RemoteControl] "C:\Programmi\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [InCD] C:\Programmi\Ahead\InCD\InCD.exe O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE O4 - HKCU\..\Run: [jiqoktc] c:\windows\tcplddh.exe < very strange! O4 - Startup: Controller.LNK = C:\Programmi\Symantec\WINFAX\WFXCTL32.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O18 - Protocol: ssp - {1E8068DE-05AD-11D4-ACC8-EF447469245C} - D:\PROGRAMMI\OFFLINE COMMANDER\SSP.DLL I have done several scans with HijackThis and deleted the most obvious malicious entries. Yesterday in my log instead of the line written in bold there was another version: 04 -HKLM\...\Run:[mtsodrp] C:\windows\ajebxyw.exe Every time I reboot these <strangename>.exe change. I believe there must be some other file in charge that has to be deleted. In my IE browser 4 new pages pointing to http://dr-search4u.com/sp.htm keep coming back and the home page gets changed too. I connect to Internet with a 56 k Conexant modem. Since I got hijacked I noticed that I can connect at 33600 bps instead of the previous 44000 pbs. And the negotiating phase takes more than usual,but I don't get redirected to any strange pages. It seems like my computer is always busy doing his things and when I try to do mine it blocks and have to use the ctrl+alt+del to turn off some backgroud procesess. I would appreciate too if you could specify what the running processes in the log do.(e.g. InCd.exe is a software I have installed with my cd-dvd writer) |
| ||
| Re: I need advice with my HijackThis log Quote:
KERNEL32.DLL - Windows Dynamic Link Library file MSGSRV32.EXE - Windows file; handles 32-bit system messaging services MPREXE.EXE - Windows file; handles certain network-related tasks mmtask.tsk - Windows file; handles multitasking for multimedia applications MSTASK.EXE - Windows' Task Scheduler MDM.EXE - Windows file; provides debugging support EXPLORER.EXE - Windows Explorer; the Windows Graphical User Interface TASKMON.EXE - Windows' Task Manager SYSTRAY.EXE - Windows System Tray; displays date/time, etc. on the Task Bar STIMON.EXE - Windows' Still Image Monitor; camera, scanner, etc. support component PDVDSERV.EXE - Power DVD remote control support INCD.EXE - Nero CD writing support file JGRMLFS.EXE - WTF?? I don't like the looks of that one! See Below... WFXCTL32.EXE - Displays WinFax icon in the System Tray SPOOL32.EXE - Windows file; handles print spooling services TAPISRV.EXE - Windows file; provides telephony support WFXMOD32.EXE - Provides Symantec WinFax modem support C:\HIJACKTHIS\HIJACKTHIS.EXE - Our friend. C:\WINDOWS\JGRMLFS.EXE <-- Find this file in Explorer, right-click on it, and choose "Properties" from the pop-up menu. Look through the Properties tabs for any identifying information such as the name of the company which made the file; let us know what you find (or don't find). Start hijackthis. Click on Config and then click on Miscellaneous Tools. Go to delete a file on reboot and enter c:\windows\tcplddh.exe; when prompted to reboot choose yes. Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows, and hit the "Fix checked" button. R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://dr-search4u.com/sp.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://dr-search4u.com/index.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dr-search4u.com/index.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://dr-search4u.com/sp.htm R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://dr-search4u.com/index.htm O4 - HKCU\..\Run: [jiqoktc] c:\windows\tcplddh.exe Reboot, run HJT again, and post a fresh log. |
| ||
| Re: I need advice with my HijackThis log good idea finding out what jgrmlfs.exe is up to! this file has only the General tab in Properties. It's an application of about 46k and was created on 01/20/05.(the day I noticed my system was slowing down).It's not a hidden file and this is all about it. No version, no company name. Looking around my C:\windows I found more of these files. All have random names of 7 letters, size of 46,592 bytes and were last modified on 01/20/05. The strange thing is that the date of generation differs from one to another. I would think there is a file that generates all these,but have no idea where it could be. Here are the names of all weird files I found in C:\windows : ajebxyw.exe < the one that substituted tcplddh.exe bsmjwyl.exe ejumeup.exe fknngxc.exe jgrmlfs.exe < the one you pointed out jlksgyv.exe lcpbvct.exe lcrsomx.exe njshjui.exe oaqxacd.exe oltfrfq.exe qetxaqc.exe qqhbheh.exe < the one that i can find in my tonight's ctrl+alt+del dialog window rdmkdvh.exe sbqetic.exe tcplddh.exe < the one I wrote in bold xxpxojj.exe Unfortunately, in the Miscellaneous Tools the button Delete a file on reboot is grayed. How can I make it available? |
| ||
| Re: I need advice with my HijackThis log I tried another way. I rebooted in Safe Mode my Win 98 system and deleted the strange files from C:\windows. Then I rebooted in Normal Mode, checked all the malicious entries in HJT log,hit fix and then did a third reboot. The log now looks like this: Logfile of HijackThis v1.99.0 Scan saved at 4.35.14, on 25/01/05 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\SYSTEM\MDM.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\PROGRAMMI\CYBERLINK DVD SOLUTION\POWERDVD\PDVDSERV.EXE C:\PROGRAMMI\AHEAD\INCD\INCD.EXE C:\PROGRAMMI\SYMANTEC\WINFAX\WFXCTL32.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\PROGRAMMI\SYMANTEC\WINFAX\WFXMOD32.EXE C:\HIJACKTHIS\HIJACKTHIS.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMMI\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [Rscmpt] C:\WINDOWS\SYSTEM\Rscmpt.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime O4 - HKLM\..\Run: [IrMon] IrMon.exe O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE O4 - HKLM\..\Run: [RemoteControl] "C:\Programmi\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [InCD] C:\Programmi\Ahead\InCD\InCD.exe O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE O4 - Startup: Controller.LNK = C:\Programmi\Symantec\WINFAX\WFXCTL32.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O18 - Protocol: ssp - {1E8068DE-05AD-11D4-ACC8-EF447469245C} - D:\PROGRAMMI\OFFLINE COMMANDER\SSP.DLL The Collegamenti thing in the first line after the processes is italian for Links in Favourites Folder. If you have any suggestions or observations about this log please post them. thanks for the great help! |
| ||
| Re: I need advice with my HijackThis log Quote:
Your log looks clean to me now; are you still experiencing any problems? If so, let us know. |
| ||
| Re: I need advice with my HijackThis log You should also go to Windows Update and get the Critical Updates for your system :) |
| ||
| Re: I need advice with my HijackThis log I have waited these days to see if anything of the spyware came back. Until now my system seems to run normally whith no more slowdowns. Though, I have another question. When looking around my C:\windows file I noticed a lot of .TMP files with apparently random names, of 0 kb and coupled in pairs by the last modified date. They have only the General tab in properties. example: fff4be75_{E989AFE0-393E-11D8-B236-444553540000}.tmp 0 kb last modified 12/28/03 14:05 fff4be75_{E989AFE1-393E-11D8-B236-444553540000}.tmp 0 kb last modified 12/28/03 14:05 fffe2a03_{0059D621-A10D-11D2-B29F-C85FED321A46}.tmp 0 kb last modified 01/01/99 00:00 fffe2a03_{0059D620-A10D-11D2-B29F-C85FED321A46}.tmp 0 kb last modified 01/01/99 00:00 fffe16bb_{67C51F40-6C22-11D9-B2A0-C5CFC19E4546}.tmp 0 kb last modified 01/22/05 03:05 fffe16bb_{67C51F41-6C22-11D9-B2A0-C5CFC19E4546}.tmp 0 kb last modified 01/22/05 03:05 Which program generates these files and what is their purpose? Is it safe to delete them? It seems the files don't occupy space,but I just hate to strike 10 times page down to browse my files in C:\windows. x dlh6213: you are right, but in the next two weeks I'll upgrade to Win XP ( I found out that the university is part of the Academic Alliance and all students cand get copies of Win Xp for studying and doing practice on PC. Our informatics lab supplies too CDs with Linux isos.) I'll upgrade my actual dual boot when my student account gets enabled. |
| ||
| Re: I need advice with my HijackThis log I don't know what specific programs are creating those, but the 32-digit strings enclosed in braces look like CLSIDs (CLass IDentifiers) to me. CLSIDs are unique identifiers for Windows COM (component Object Model) entities installed on your system, and those entities should have entries to their related CLSIDs hiding in your Registry. If I'm correct about this, you may be able to determine which programs are generating the tmp files by searching through your Registry for the CLSIDs in question: 1. In your Start menu, choose the "Run..." option and type the following in the "Open:" box to run the Registry Editor: regedit 2. Once the program opens, choose the "Find..." option under the Edit menu to bring up the search window, paste one of CLSIDs from the suspect filenames into the search box, perform the search, and see if the ID is found. If so, see if there's any helpful information within the found key. If not, there may be other listing for the CLSID elsewhere in the Registry; Pressing the F3 key will continue your search. 3. Repeat the above for each of the 32-digit strings in the other suspect files. |
| All times are GMT -4. The time now is 5:58 am. |
Forum system based on vBulletin Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
©2003 - 2009 DaniWeb® LLC