My HiJack This Log - Win 98 SE - Please Help

Question

Hi, Symptoms were mainly slow internet access and Internet Explorer homepage being hijacked to various sites (searching about casinos, home loans etc). I have run Stinger, used ZoneAlarm to block IE from accessing the web and now use FireFox/Mozilla. I have deleted some files that I know to be malicious. No more problems, but I know the bad files are still there. HJT Log is as follows: Logfile of HijackThis v1.99.1 Scan saved at 12:57:03 AM, on 25/04/05 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\ATI2PLXX.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISSERV.EXE C:\PROGRAM FILES\NORTON INTERNET SECURITY\IAMAPP.EXE C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE C:\WINDOWS\SYSTEM\RPCSS.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\SYSTEM\ATIPTAXX.EXE C:\WINDOWS\SYSTEM\ATI2CWXX.EXE C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE C:\WINDOWS\SYSTEM\PRPCUI.EXE C:\WINDOWS\DOCKAPP.EXE C:\WINDOWS\SYSTEM\QTTASK.EXE C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE C:\WINDOWS\SYSTEM\HPOOPM07.EXE C:\PROGRAM FILES\USB DISK TOOL\USNDISKT.EXE C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\AIM.EXE C:\PROGRAM FILES\MICROSOFT REFERENCE\BOOKSHELF 2000\QSHELF2K.EXE C:\PROGRAM FILES\NETSHOW SERVICES\TOOLS\REXPROXY.EXE C:\WINDOWS\RUNDLL32.EXE C:\PALM\HOTSYNC.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\WINDOWS\RUNDLL32.EXE C:\PROGRAM FILES\IOLO\SYSTEM MECHANIC 5\POPUPSTOPPER.EXE C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE C:\PROGRAM FILES\WINZIP\WINZIP32.EXE C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://passport.sympatico.ca/userprofiledetection.aspx?aot=mail〈=en R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.martfinder.com R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.crooder.com/search/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico N1 - Netscape 4: user_pref('browser.startup.homepage', 'http://home.netscape.com/'); (C:\Program Files\Netscape\Users\mark\prefs.js) O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] c:\windows	askmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [ATIPOLAB] ati2plxx.exe O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe O4 - HKLM\..\Run: [BayMgr] DockApp.exe O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE O4 - HKLM\..\Run: [CreateCD50] 'c:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe' -r O4 - HKLM\..\Run: [AdaptecDirectCD] 'c:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe' O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\SYSTEM\hpoopm07.exe O4 - HKLM\..\Run: [USB Disk Tool] C:\Program Files\USB Disk Tool\USNDISKT.EXE O4 - HKLM\..\RunServices: [ATIPOLAB] ati2plxx.exe O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [ScriptBlocking] 'C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe' -reg O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [System Mechanic Popup Stopper] 'C:\PROGRAM FILES\IOLO\SYSTEM MECHANIC 5\POPUPSTOPPER.EXE' O4 - HKCU\..\RunOnce: [System Mechanic Registry Compact Handler] C:\PROGRAM FILES\IOLO\SYSTEM MECHANIC 5\SYSMECH5.EXE /REMOVEREGCOMPACT O4 - Startup: QuickShelf 2000.lnk = C:\Program Files\Microsoft Reference\Bookshelf 2000\qshelf2k.exe O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Startup: NRunOnce.lnk = C:\WINDOWS\FONTVIEW.EXE O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE O4 - Global Startup: NetShow PowerPoint Helper.lnk = C:\Program Files\NetShow Services\Tools
sppthlp.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing) O9 - Extra button: Dell Home - {786F02C0-6358-11D4-A851-507E49C10501} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL (HKCU) O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS
ppdf32.dll O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab Please Help. Thanks

Funkyfreak · Answer

heres a breakdown of that from hijackthis.de:

http://hijackthis.de/logfiles/7f0eaf17b1ce43a0031c6e000e94c1f3.html

so far, get rid of:

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.crooder.com/search/

and that seems to be it!!! the rest seem fine.... if you're unsure ry running a scan with counterspy www.tinyurl.com/4cuz6 <- this will give you a file download box for counterspy

you should also run a scan from trendmicro - http://housecall.trendmicro.com

Message Edited by Funkyfreak on 04-25-2005 08:54 AM

zbestwun2001 · Answer

Johnny , You at least have the Cool WebSearch trojan and you need a special program to clean this up. We can't do this in this fourm, please go to the HJT forum next door. Steve

zbestwun2001 · Answer

STOP!!!!FUNKY FREAK YOU ARE DOING A DISSERVICE TO THESE PEOPLE WITH THIS ADVICE.PLEASE CEASE AND DECIST GIVING OUT THIS ADVICE.IF YOU WANT THIS LOG ANALYZED CORRECTLY PLEASE POST IT IN THE HIJACKTHIS FORUM.

Funkyfreak · Answer

ok then.... so that I don't do that again... where was the disservice??   the option to run counterspy?? which is a good program..   or the option to run a good free online antivirus   or at least....what did I miss?

ky331 · Answer

Funky, i believe the 'dis-service' that zbestwun was referring to was your advocating the particular automatic hijacklog scanner/analyzer that you did.   while it's results might be 'interesting' to look at and ponder... while it might be an interesting 'starting point'... the simple fact of the matter is that this particular analysis site is 'faulty', in that it will generate both 'false positives' and 'false negatives'... that is to say, it will tell you some entries are bad when in fact they are really good, and conversely, it will overlook some really bad entries, indicating/implying that they are good.   Consequently, by blindly accepting their analysis as if it were accurate, the average person can get into trouble.   that being the case, it's better to leave the matter of HJT analysis to the experts in the HJT forum

Funkyfreak · Answer

Well ok then...  I can fully understand and agree with that.... (I suppose I shouldn't have linked the log) I agree with you that it does generate false results.. But it is a good, quick starting point in the sense that it lists them nicely and gives some info (speaking of that I missed an IE search page)....  and you are right , you should never trust the results fully.... (hence the link for counterspy and housecall) and it should always be reviewed by someone that knows....   I find the results from that analysis easier to read than just the straight log.....   So... again I agree that the log should be read by an expert.... but since I didn't know there was a hijackthis forum(and neither did he) and no one had answered him yet..... at least I got him started on something.   So then I apologize for linking a site that provides false negatives and positives (research is always a good thing to do with a program like hijackthis)   I just had to know what the CAPS and red was about .... I've been in this industry for a few years now and have been supporting spyware for over 9 months and have never been spoken to about my results.... Not like that...  My fault for replying to a post first thing in the morning and not reviewing it...   thanks for the clarification..

Virus & Spyware

Was this post helpful?