PPRuNe Forums - View Single Post - Hijack This! Trying to help a friend.
Thread: Hijack This! Trying to help a friend.
View Single Post
Old 31st Jan 2005, 12:39
  #1 (permalink)  
DeepC
 
Join Date: Apr 2002
Location: Roxton, UK
Age: 47
Posts: 331
Likes: 0
Received 0 Likes on 0 Posts
Hijack This! Trying to help a friend.
Folks,

Sorry for the really long post....

My friend has sent the following HJT log to me. I have attempted to mark up the log with what I think he should do to fix it. Can anyone look at my efforts and pick any holes in it so that the advice I eventually give to my friend is kosher. This is my first attempt at deciphering a log and has taken a lot of Googling to sort the wheat from the chaff. This website was invaluable. If you think my friend should be running specific removal tools prior to fixing with HJT then please shout.

Many thanks

DeepC

The Log..... (Followed by my advice)

Logfile of HijackThis v1.99.0
Scan saved at 12:16:42, on 29/01/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\FLBRGY.EXE
C:\SAFSA.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\ISTSVC\ISTSVC.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\TSARAXXA.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\NAVISEARCH\BIN\NLS.EXE
C:\PROGRAM FILES\CASHBACK\BIN\CASHBACK.EXE
C:\WINDOWS\WINAGENT.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\SSSASASB32.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?hklm
R3 - URLSearchHook: (no name) - _{2E2F8541-8566-BB3A-952B-611ABCEB8B94} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: G1.GZ - {79C03BC5-6C55-4B5B-921F-C02B6F1ABD7B} - C:\WINDOWS\ALL USERS\APPLICATION DATA\PRIBI\PRIBI.DLL
O2 - BHO: (no name) - {512F0814-6C1C-9683-860B-699277AAF977} - C:\WINDOWS\Cvzcgzrq.dll
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\SYSTEM\NVMS.DLL
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\SYSTEM\MSCB.DLL
O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\MXTARGET.DLL
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\NEM220.DLL (file missing)
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\PROGRAM FILES\SIDEFIND\SFBHO.DLL
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL
O3 - Toolbar: Search - {88217D56-EE13-C3B1-858B-F54DB3108F07} - C:\WINDOWS\Cvzcgzrq.dll
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [pdcrlu] C:\WINDOWS\SYSTEM\pdcrlu.exe
O4 - HKLM\..\Run: [SV2CJAVM] C:\WINDOWS\SYSTEM\SV2CJAVM.exe
O4 - HKLM\..\Run: [AG_HOOKM] C:\WINDOWS\SYSTEM\AG_HOOKM.exe
O4 - HKLM\..\Run: [avaj] C:\WINDOWS\SYSTEM\avaj.exe
O4 - HKLM\..\Run: [CMUII] C:\WINDOWS\SYSTEM\CMUII.exe
O4 - HKLM\..\Run: [dbc16gto] C:\WINDOWS\SYSTEM\dbc16gto.exe
O4 - HKLM\..\Run: [DCCM32R] C:\WINDOWS\SYSTEM\DCCM32R.exe
O4 - HKLM\..\Run: [E4UINITI] C:\WINDOWS\SYSTEM\E4UINITI.exe
O4 - HKLM\..\Run: [EDWIPESQ] C:\WINDOWS\SYSTEM\EDWIPESQ.exe
O4 - HKLM\..\Run: [EGWIZCR] C:\WINDOWS\SYSTEM\EGWIZCR.exe
O4 - HKLM\..\Run: [GAV] C:\WINDOWS\SYSTEM\GAV.exe
O4 - HKLM\..\Run: [liconfgc] C:\WINDOWS\SYSTEM\liconfgc.exe
O4 - HKLM\..\Run: [ncrtp] C:\WINDOWS\SYSTEM\ncrtp.exe
O4 - HKLM\..\Run: [PTENUML] C:\WINDOWS\SYSTEM\PTENUML.exe
O4 - HKLM\..\Run: [SVIDCM] C:\WINDOWS\SYSTEM\SVIDCM.exe
O4 - HKLM\..\Run: [ti64hl2a] C:\WINDOWS\SYSTEM\ti64hl2a.exe
O4 - HKLM\..\Run: [TIICDXXA] C:\WINDOWS\SYSTEM\TIICDXXA.exe
O4 - HKLM\..\Run: [TIVIFXXA] C:\WINDOWS\SYSTEM\TIVIFXXA.exe
O4 - HKLM\..\Run: [TL3DC] C:\WINDOWS\SYSTEM\TL3DC.exe
O4 - HKLM\..\Run: [V32QT32I] C:\WINDOWS\SYSTEM\V32QT32I.exe
O4 - HKLM\..\Run: [W3DPRO2S] C:\WINDOWS\SYSTEM\W3DPRO2S.exe
O4 - HKLM\..\Run: [WEDISHS] C:\WINDOWS\SYSTEM\WEDISHS.exe
O4 - HKLM\..\Run: [WVIEW32A] C:\WINDOWS\SYSTEM\WVIEW32A.exe
O4 - HKLM\..\Run: [XDIAGD] C:\WINDOWS\SYSTEM\XDIAGD.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
O4 - HKLM\..\Run: [3DRG8FD] C:\WINDOWS\SYSTEM\3DRG8FD.exe
O4 - HKLM\..\Run: [AVAPRXYJ] C:\WINDOWS\SYSTEM\AVAPRXYJ.exe
O4 - HKLM\..\Run: [S3MSII] C:\WINDOWS\SYSTEM\S3MSII.exe
O4 - HKLM\..\Run: [SCONFIGM] C:\WINDOWS\SYSTEM\SCONFIGM.exe
O4 - HKLM\..\Run: [TSSVEXXA] C:\WINDOWS\SYSTEM\TSSVEXXA.exe
O4 - HKLM\..\Run: [TTSVEXXA] C:\WINDOWS\SYSTEM\TTSVEXXA.exe
O4 - HKLM\..\Run: [qgrhkkwpys] C:\WINDOWS\SYSTEM\flbrgy.exe
O4 - HKLM\..\Run: [satmat] C:\WINDOWS\SATMAT.exe
O4 - HKLM\..\Run: [BFbUYiFux] C:\SAFSA.EXE
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [switp] C:\WINDOWS\SWITP_BUND_AR3.EXE
O4 - HKLM\..\Run: [¢‰¸ï0 4Ã4}¤Áœ5]C:\Program Files\ISTsvc\istsvc.exe] C:\SAFSA.EXE
O4 - HKLM\..\Run: [¢‰¸ï0+¿ÔÇè]mú*àaîžiC:\Program Files\ISTsvc\istsvc.exe] C:\SAFSA.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [TSARAXXA] C:\WINDOWS\SYSTEM\TSARAXXA.exe
O4 - HKLM\..\Run: [SvcH0st] C:\WINDOWS\winagent.exe /i
O4 - HKLM\..\Run: [sssasasb32] C:\WINDOWS\sssasasb32.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [\Pribi.exe] C:\WINDOWS\ALLUSE~1\APPLIC~1\PRIBI\Pribi.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\PROGRAM FILES\SIDEFIND\SIDEFIND.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: Win32 Classes - file://c:\windows\Java\classes\win32ie4.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/A...ler/dwnldr.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = hello.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 137.205.128.17,137.205.128.18,137.205.128.19

DeepC's Advice to Friend....

Make sure that HJT is sitting in it's own permanent folder to enable it to save backups to the same directory.

Reboot PC then in Task Manager shut down the following programs.

C:\WINDOWS\SYSTEM\FLBRGY.EXE
C:\SAFSA.EXE
C:\PROGRAM FILES\ISTSVC\ISTSVC.EXE
C:\WINDOWS\SYSTEM\TSARAXXA.EXE
C:\PROGRAM FILES\NAVISEARCH\BIN\NLS.EXE
C:\PROGRAM FILES\CASHBACK\BIN\CASHBACK.EXEC:\WINDOWS\SSSASASB32.EXE

Then rerun HJT and check to fix the following entries.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?hklm
R3 - URLSearchHook: (no name) - _{2E2F8541-8566-BB3A-952B-611ABCEB8B94} - (no file)

O2 - BHO: G1.GZ - {79C03BC5-6C55-4B5B-921F-C02B6F1ABD7B} - C:\WINDOWS\ALL USERS\APPLICATION DATA\PRIBI\PRIBI.DLL
O2 - BHO: (no name) - {512F0814-6C1C-9683-860B-699277AAF977} - C:\WINDOWS\Cvzcgzrq.dll
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\SYSTEM\NVMS.DLL
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\SYSTEM\MSCB.DLL
O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\MXTARGET.DLL
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\NEM220.DLL (file missing)
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\PROGRAM FILES\SIDEFIND\SFBHO.DLL
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL
O3 - Toolbar: Search - {88217D56-EE13-C3B1-858B-F54DB3108F07} - C:\WINDOWS\Cvzcgzrq.dll

O4 - HKLM\..\Run: [pdcrlu] C:\WINDOWS\SYSTEM\pdcrlu.exe
O4 - HKLM\..\Run: [SV2CJAVM] C:\WINDOWS\SYSTEM\SV2CJAVM.exe
O4 - HKLM\..\Run: [AG_HOOKM] C:\WINDOWS\SYSTEM\AG_HOOKM.exe
O4 - HKLM\..\Run: [avaj] C:\WINDOWS\SYSTEM\avaj.exe
O4 - HKLM\..\Run: [CMUII] C:\WINDOWS\SYSTEM\CMUII.exe
O4 - HKLM\..\Run: [dbc16gto] C:\WINDOWS\SYSTEM\dbc16gto.exe
O4 - HKLM\..\Run: [DCCM32R] C:\WINDOWS\SYSTEM\DCCM32R.exe
O4 - HKLM\..\Run: [E4UINITI] C:\WINDOWS\SYSTEM\E4UINITI.exe
O4 - HKLM\..\Run: [EDWIPESQ] C:\WINDOWS\SYSTEM\EDWIPESQ.exe
O4 - HKLM\..\Run: [EGWIZCR] C:\WINDOWS\SYSTEM\EGWIZCR.exe
O4 - HKLM\..\Run: [GAV] C:\WINDOWS\SYSTEM\GAV.exe
O4 - HKLM\..\Run: [liconfgc] C:\WINDOWS\SYSTEM\liconfgc.exe
O4 - HKLM\..\Run: [ncrtp] C:\WINDOWS\SYSTEM\ncrtp.exe
O4 - HKLM\..\Run: [PTENUML] C:\WINDOWS\SYSTEM\PTENUML.exe
O4 - HKLM\..\Run: [SVIDCM] C:\WINDOWS\SYSTEM\SVIDCM.exe
O4 - HKLM\..\Run: [ti64hl2a] C:\WINDOWS\SYSTEM\ti64hl2a.exe
O4 - HKLM\..\Run: [TIICDXXA] C:\WINDOWS\SYSTEM\TIICDXXA.exe
O4 - HKLM\..\Run: [TIVIFXXA] C:\WINDOWS\SYSTEM\TIVIFXXA.exe
O4 - HKLM\..\Run: [TL3DC] C:\WINDOWS\SYSTEM\TL3DC.exe
O4 - HKLM\..\Run: [V32QT32I] C:\WINDOWS\SYSTEM\V32QT32I.exe
O4 - HKLM\..\Run: [W3DPRO2S] C:\WINDOWS\SYSTEM\W3DPRO2S.exe
O4 - HKLM\..\Run: [WEDISHS] C:\WINDOWS\SYSTEM\WEDISHS.exe
O4 - HKLM\..\Run: [WVIEW32A] C:\WINDOWS\SYSTEM\WVIEW32A.exe
O4 - HKLM\..\Run: [XDIAGD] C:\WINDOWS\SYSTEM\XDIAGD.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
O4 - HKLM\..\Run: [3DRG8FD] C:\WINDOWS\SYSTEM\3DRG8FD.exe
O4 - HKLM\..\Run: [AVAPRXYJ] C:\WINDOWS\SYSTEM\AVAPRXYJ.exe
O4 - HKLM\..\Run: [S3MSII] C:\WINDOWS\SYSTEM\S3MSII.exe
O4 - HKLM\..\Run: [SCONFIGM] C:\WINDOWS\SYSTEM\SCONFIGM.exe
O4 - HKLM\..\Run: [TSSVEXXA] C:\WINDOWS\SYSTEM\TSSVEXXA.exe
O4 - HKLM\..\Run: [TTSVEXXA] C:\WINDOWS\SYSTEM\TTSVEXXA.exe
O4 - HKLM\..\Run: [qgrhkkwpys] C:\WINDOWS\SYSTEM\flbrgy.exe
O4 - HKLM\..\Run: [satmat] C:\WINDOWS\SATMAT.exe
O4 - HKLM\..\Run: [BFbUYiFux] C:\SAFSA.EXE
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [switp] C:\WINDOWS\SWITP_BUND_AR3.EXE
O4 - HKLM\..\Run: [¢‰¸ï0 4Ã4}¤Áœ5]C:\Program Files\ISTsvc\istsvc.exe] C:\SAFSA.EXE
O4 - HKLM\..\Run: [¢‰¸ï0+¿ÔÇè]mú*àaîžiC:\Program Files\ISTsvc\istsvc.exe] C:\SAFSA.EXE
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [TSARAXXA] C:\WINDOWS\SYSTEM\TSARAXXA.exe
O4 - HKLM\..\Run: [sssasasb32] C:\WINDOWS\sssasasb32.exe
O4 - HKCU\..\Run: [\Pribi.exe] C:\WINDOWS\ALLUSE~1\APPLIC~1\PRIBI\Pribi.exe

O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\PROGRAM FILES\SIDEFIND\SIDEFIND.DLL

O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/A...ler/dwnldr.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = hello.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 137.205.128.17,137.205.128.18,137.205.128.19

When you have done this. Reboot your system and then rerun HJT and email me the Log.
DeepC is offline