0

Hello, I too had my IE 6.0 browser hijacked and have been experiencing some annoying slow system.

I have scanned my Win 98 computer with Ad-ware SE and Spybot S&D. They found some cookies and some registry keys from Windows Media Player but didn't solve anything. I also made an online scanning at a site I read about on this forum. I need to know which entries from this log I have to delete:

Logfile of HijackThis v1.99.0
Scan saved at 0.48.50, on 25/01/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAMMI\CYBERLINK DVD SOLUTION\POWERDVD\PDVDSERV.EXE
C:\PROGRAMMI\AHEAD\INCD\INCD.EXE
C:\WINDOWS\JGRMLFS.EXE
C:\PROGRAMMI\SYMANTEC\WINFAX\WFXCTL32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAMMI\SYMANTEC\WINFAX\WFXMOD32.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://dr-search4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://dr-search4u.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dr-search4u.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://dr-search4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://dr-search4u.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMMI\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Rscmpt] C:\WINDOWS\SYSTEM\Rscmpt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Programmi\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Programmi\Ahead\InCD\InCD.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKCU\..\Run: [jiqoktc] c:\windows\tcplddh.exe < very strange!
O4 - Startup: Controller.LNK = C:\Programmi\Symantec\WINFAX\WFXCTL32.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O18 - Protocol: ssp - {1E8068DE-05AD-11D4-ACC8-EF447469245C} - D:\PROGRAMMI\OFFLINE COMMANDER\SSP.DLL

I have done several scans with HijackThis and deleted the most obvious malicious entries. Yesterday in my log instead of the line written in bold there was another version:

04 -HKLM\...\Run:[mtsodrp] C:\windows\ajebxyw.exe

Every time I reboot these <strangename>.exe change. I believe there must be some other file in charge that has to be deleted. In my IE browser 4 new pages pointing to http://dr-search4u.com/sp.htm keep coming back and the home page gets changed too.

I connect to Internet with a 56 k Conexant modem. Since I got hijacked I noticed that I can connect at 33600 bps instead of the previous 44000 pbs. And the negotiating phase takes more than usual,but I don't get redirected to any strange pages. It seems like my computer is always busy doing his things and when I try to do mine it blocks and have to use the ctrl+alt+del to turn off some backgroud procesess.

I would appreciate too if you could specify what the running processes in the log do.(e.g. InCd.exe is a software I have installed with my cd-dvd writer)

3
Contributors
7
Replies
8
Views
12 Years
Discussion Span
Last Post by DMR
0

I would appreciate too if you could specify what the running processes in the log do.(e.g. InCd.exe is a software I have installed with my cd-dvd writer)

Running processes:
KERNEL32.DLL - Windows Dynamic Link Library file
MSGSRV32.EXE - Windows file; handles 32-bit system messaging services
MPREXE.EXE - Windows file; handles certain network-related tasks
mmtask.tsk - Windows file; handles multitasking for multimedia applications
MSTASK.EXE - Windows' Task Scheduler
MDM.EXE - Windows file; provides debugging support
EXPLORER.EXE - Windows Explorer; the Windows Graphical User Interface
TASKMON.EXE - Windows' Task Manager
SYSTRAY.EXE - Windows System Tray; displays date/time, etc. on the Task Bar
STIMON.EXE - Windows' Still Image Monitor; camera, scanner, etc. support component
PDVDSERV.EXE - Power DVD remote control support
INCD.EXE - Nero CD writing support file
JGRMLFS.EXE - WTF?? I don't like the looks of that one! See Below...
WFXCTL32.EXE - Displays WinFax icon in the System Tray
SPOOL32.EXE - Windows file; handles print spooling services
TAPISRV.EXE - Windows file; provides telephony support
WFXMOD32.EXE - Provides Symantec WinFax modem support
C:\HIJACKTHIS\HIJACKTHIS.EXE - Our friend.

C:\WINDOWS\JGRMLFS.EXE <-- Find this file in Explorer, right-click on it, and choose "Properties" from the pop-up menu. Look through the Properties tabs for any identifying information such as the name of the company which made the file; let us know what you find (or don't find).


Start hijackthis. Click on Config and then click on Miscellaneous Tools. Go to delete a file on reboot and enter c:\windows\tcplddh.exe; when prompted to reboot choose yes.

Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows, and hit the "Fix checked" button.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://dr-search4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://dr-search4u.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dr-search4u.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://dr-search4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://dr-search4u.com/index.htm
O4 - HKCU\..\Run: [jiqoktc] c:\windows\tcplddh.exe

Reboot, run HJT again, and post a fresh log.

0

good idea finding out what jgrmlfs.exe is up to! this file has only the General tab in Properties. It's an application of about 46k and was created on 01/20/05.(the day I noticed my system was slowing down).It's not a hidden file and this is all about it. No version, no company name. Looking around my C:\windows I found more of these files.

All have random names of 7 letters, size of 46,592 bytes and were last modified on 01/20/05. The strange thing is that the date of generation differs from one to another. I would think there is a file that generates all these,but have no idea where it could be.

Here are the names of all weird files I found in C:\windows :
ajebxyw.exe < the one that substituted tcplddh.exe
bsmjwyl.exe
ejumeup.exe
fknngxc.exe
jgrmlfs.exe < the one you pointed out
jlksgyv.exe
lcpbvct.exe
lcrsomx.exe
njshjui.exe
oaqxacd.exe
oltfrfq.exe
qetxaqc.exe
qqhbheh.exe < the one that i can find in my tonight's ctrl+alt+del dialog window
rdmkdvh.exe
sbqetic.exe
tcplddh.exe < the one I wrote in bold
xxpxojj.exe


Unfortunately, in the Miscellaneous Tools the button Delete a file on reboot is grayed. How can I make it available?

0

I tried another way. I rebooted in Safe Mode my Win 98 system and deleted the strange files from C:\windows.

Then I rebooted in Normal Mode, checked all the malicious entries in HJT log,hit fix and then did a third reboot. The log now looks like this:

Logfile of HijackThis v1.99.0
Scan saved at 4.35.14, on 25/01/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAMMI\CYBERLINK DVD SOLUTION\POWERDVD\PDVDSERV.EXE
C:\PROGRAMMI\AHEAD\INCD\INCD.EXE
C:\PROGRAMMI\SYMANTEC\WINFAX\WFXCTL32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAMMI\SYMANTEC\WINFAX\WFXMOD32.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMMI\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Rscmpt] C:\WINDOWS\SYSTEM\Rscmpt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Programmi\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Programmi\Ahead\InCD\InCD.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - Startup: Controller.LNK = C:\Programmi\Symantec\WINFAX\WFXCTL32.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O18 - Protocol: ssp - {1E8068DE-05AD-11D4-ACC8-EF447469245C} - D:\PROGRAMMI\OFFLINE COMMANDER\SSP.DLL

The Collegamenti thing in the first line after the processes is italian for Links in Favourites Folder. If you have any suggestions or observations about this log please post them.

thanks for the great help!

0

good idea finding out what jgrmlfs.exe is up to! this file has only the General tab in Properties. It's an application of about 46k and was created on 01/20/05.(the day I noticed my system was slowing down).It's not a hidden file and this is all about it. No version, no company name. Looking around my C:\windows I found more of these files.

All have random names of 7 letters, size of 46,592 bytes and were last modified on 01/20/05....
I rebooted in Safe Mode my Win 98 system and deleted the strange files from C:\windows.

Well done Perrom- excellent intuition and troubleshooting on your part.

Your log looks clean to me now; are you still experiencing any problems? If so, let us know.

0

I have waited these days to see if anything of the spyware came back. Until now my system seems to run normally whith no more slowdowns.

Though, I have another question. When looking around my C:\windows file I noticed a lot of .TMP files with apparently random names, of 0 kb and coupled in pairs by the last modified date. They have only the General tab in properties.
example:

fff4be75_{E989AFE0-393E-11D8-B236-444553540000}.tmp 0 kb last modified 12/28/03 14:05
fff4be75_{E989AFE1-393E-11D8-B236-444553540000}.tmp 0 kb last modified 12/28/03 14:05

fffe2a03_{0059D621-A10D-11D2-B29F-C85FED321A46}.tmp 0 kb last modified 01/01/99 00:00
fffe2a03_{0059D620-A10D-11D2-B29F-C85FED321A46}.tmp 0 kb last modified 01/01/99 00:00
fffe16bb_{67C51F40-6C22-11D9-B2A0-C5CFC19E4546}.tmp 0 kb last modified 01/22/05 03:05
fffe16bb_{67C51F41-6C22-11D9-B2A0-C5CFC19E4546}.tmp 0 kb last modified 01/22/05 03:05

Which program generates these files and what is their purpose?
Is it safe to delete them? It seems the files don't occupy space,but I just hate to strike 10 times page down to browse my files in C:\windows.

x dlh6213: you are right, but in the next two weeks I'll upgrade to Win XP ( I found out that the university is part of the Academic Alliance and all students cand get copies of Win Xp for studying and doing practice on PC. Our informatics lab supplies too CDs with Linux isos.) I'll upgrade my actual dual boot when my student account gets enabled.

0

I don't know what specific programs are creating those, but the 32-digit strings enclosed in braces look like CLSIDs (CLass IDentifiers) to me. CLSIDs are unique identifiers for Windows COM (component Object Model) entities installed on your system, and those entities should have entries to their related CLSIDs hiding in your Registry. If I'm correct about this, you may be able to determine which programs are generating the tmp files by searching through your Registry for the CLSIDs in question:

1. In your Start menu, choose the "Run..." option and type the following in the "Open:" box to run the Registry Editor:

regedit

2. Once the program opens, choose the "Find..." option under the Edit menu
to bring up the search window, paste one of CLSIDs from the suspect filenames into the search box, perform the search, and see if the ID is found. If so, see if there's any helpful information within the found key. If not, there may be other listing for the CLSID elsewhere in the Registry; Pressing the F3 key will continue your search.

3. Repeat the above for each of the 32-digit strings in the other suspect files.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.