Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

« previous next »
Pages: [1]   Go Down

Author Topic: Fixing items in Hijackthis log  (Read 4946 times)

0 Members and 1 Guest are viewing this topic.

Xeratul

    Topic Starter
  • 100,000th poster


    • Hopeful
  • Experience: Familiar
  • OS: Windows 7
Fixing items in Hijackthis log
« on: February 22, 2006, 08:46:26 PM »
How would I go about deleting these items in my hijackthis log file?  :-?

O1 - Hosts: 127.0
O1 - Hosts: 12zsearchtoolbar.com
O1 - Hosts: 12zsearchtoolbar.com
O1 - Hosts: 12
O1 - Hosts: 127.0.
O1 - Hosts: u.com
O1 - Hosts: com
O1 - Hosts: r.com
O1 - Hosts: bar.com
O1 - Hosts: olbar.com
O1 - Hosts: toolbar.com
O1 - Hosts: ertoolbar.com
O1 - Hosts: wsertoolbar.com
O1 - Hosts: rowsertoolbar.com
O1 - Hosts: 127.0.
O1 - Hosts: 127.0.0
O1 - Hosts: 1
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (file missing) (HKCU)
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/zenpuzzlegarden/miniclipGameLoader.dll
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} (WildTangent Active Launcher) - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab

Is the following entry dangerous? My analysis said it was possibly dangerous, and I've heard it is a trojan. I just wan't to be sure so I dont screw anything up.

C:\WINDOWS\system32\winlogi.exe
« Last Edit: February 22, 2006, 08:59:01 PM by Wraith112 »
Logged

dl65

  • R.I.P.


    • Prodigy

    Thanked: 18
    Re: Fixing items in Hijackthis log
    « Reply #1 on: February 22, 2006, 09:12:34 PM »
    Wraith......  How about posting the full complete hijackthis log .........and then we will be able to give you a definitive response.
    Quote
    C:\WINDOWS\system32\winlogi.exe
    again it may be an issue however the complete log is required .

    dl65  ::)
    Logged
    If you don't know the answer, it isn't a dumb question.

    Xeratul

      Topic Starter
    • 100,000th poster


      • Hopeful
    • Experience: Familiar
    • OS: Windows 7
    Re: Fixing items in Hijackthis log
    « Reply #2 on: February 22, 2006, 09:19:36 PM »
    Logfile of HijackThis v1.99.1
    Scan saved at 7:49:38 AM, on 2/22/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Apache Group\Apache2\bin\Apache.exe
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
    C:\Program Files\Apache Group\Apache2\bin\Apache.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\PRISMSVR.EXE
    C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd.exe
    C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    C:\Program Files\MsMovies\MsMovies.exe
    C:\WINDOWS\system32\winlogi.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
    C:\Program Files\LimeWire\LimeWire.exe
    C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Jay\Desktop\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2search.com/sidesearch.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:81
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
    O1 - Hosts: 127.0
    O1 - Hosts: 12zsearchtoolbar.com
    O1 - Hosts: 12zsearchtoolbar.com
    O1 - Hosts: 12
    O1 - Hosts: 127.0.
    O1 - Hosts: u.com
    O1 - Hosts: com
    O1 - Hosts: r.com
    O1 - Hosts: bar.com
    O1 - Hosts: olbar.com
    O1 - Hosts: toolbar.com
    O1 - Hosts: ertoolbar.com
    O1 - Hosts: wsertoolbar.com
    O1 - Hosts: rowsertoolbar.com
    O1 - Hosts: 127.0.
    O1 - Hosts: 127.0.0
    O1 - Hosts: 1
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    Logged

    Xeratul

      Topic Starter
    • 100,000th poster


      • Hopeful
    • Experience: Familiar
    • OS: Windows 7
    Re: Fixing items in Hijackthis log
    « Reply #3 on: February 22, 2006, 09:20:07 PM »
    O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
    O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    O4 - HKLM\..\Run: [MsMovies] C:\Program Files\MsMovies\MsMovies.exe /auto
    O4 - HKLM\..\Run: [virtual-ie] winlogi.exe
    O4 - HKLM\..\RunServices: [virtual-ie] winlogi.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [ProxyWay] C:\Program Files\ProxyWay\proxyway.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [Desktop Macros] C:\Program Files\Desktop Macros\MacroS.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (file missing) (HKCU)
    O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab
    O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
    O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) -
    Logged

    Xeratul

      Topic Starter
    • 100,000th poster


      • Hopeful
    • Experience: Familiar
    • OS: Windows 7
    Re: Fixing items in Hijackthis log
    « Reply #4 on: February 22, 2006, 09:20:28 PM »
    https://signup.msn.com/pages/MsnInstC.cab
    O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/zenpuzzlegarden/miniclipGameLoader.dll
    O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} (WildTangent Active Launcher) - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B5B3DEDA-EF7F-40AE-81C8-EF9F78409863}: NameServer = 67.21.13.2,67.21.13.4
    O20 - Winlogon Notify: accwms - C:\WINDOWS\system\accwms.dll (file missing)
    O20 - Winlogon Notify: infoap - C:\WINDOWS\system32\IAS\infoap.dll (file missing)
    O20 - Winlogon Notify: keyodbc - C:\WINDOWS\system\keyodbc.dll (file missing)
    O20 - Winlogon Notify: netcr - C:\WINDOWS\Config\netcr.dll (file missing)
    O20 - Winlogon Notify: svrmc - C:\WINDOWS\MICROS~1.NET\svrmc.dll (file missing)
    O20 - Winlogon Notify: sysodbc - C:\WINDOWS\Cursors\sysodbc.dll (file missing)
    O20 - Winlogon Notify: taskad - C:\WINDOWS\AppPatch\taskad.dll (file missing)
    O20 - Winlogon Notify: tasklog - C:\WINDOWS\AppPatch\tasklog.dll (file missing)
    O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe (file missing)

    Logged

    Xeratul

      Topic Starter
    • 100,000th poster


      • Hopeful
    • Experience: Familiar
    • OS: Windows 7
    Re: Fixing items in Hijackthis log
    « Reply #5 on: February 22, 2006, 09:21:05 PM »
    Oh, nevermind I should have figured this out myself...   :-/

    EDIT 1: I deleted at least most of the malicious entries I believe.
    « Last Edit: February 22, 2006, 09:52:18 PM by Wraith112 »
    Logged

    Fed

    • Moderator


      • Sage
      • Thanked: 35
      • Experience: Experienced
      • OS: Windows XP
      Re: Fixing items in Hijackthis log
      « Reply #6 on: February 22, 2006, 10:48:14 PM »
      Found the fixit button eh?  :D
      Good for you, take a look around in Hijackthis, there is some good stuff there.
      Logged

      Backdated

      • Guest
      Re: Fixing items in Hijackthis log
      « Reply #7 on: February 23, 2006, 06:50:53 PM »
      The following entries need attention:

      R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2search.com/sidesearch.html

      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

      R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway

      R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:81

      R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local

      O1 - Hosts: 127.0

      O1 - Hosts: 12zsearchtoolbar.com

      O1 - Hosts: 12zsearchtoolbar.com

      O1 - Hosts: 12

      O1 - Hosts: 127.0.

      O1 - Hosts: u.com

      O1 - Hosts: com

      O1 - Hosts: r.com

      O1 - Hosts: bar.com

      O1 - Hosts: olbar.com

      O1 - Hosts: toolbar.com

      O1 - Hosts: ertoolbar.com

      O1 - Hosts: wsertoolbar.com

      O1 - Hosts: rowsertoolbar.com

      O1 - Hosts: 127.0.

      O1 - Hosts: 127.0.0

      O1 - Hosts: 1

      O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

      O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
       
      O4 - HKLM\..\Run: [MsMovies] C:\Program Files\MsMovies\MsMovies.exe /auto

      O4 - HKLM\..\Run: [virtual-ie] winlogi.exe

      O4 - HKLM\..\RunServices: [virtual-ie] winlogi.exe

      O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

      O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
       
      O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} (WildTangent Active Launcher) - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab

      O20 - Winlogon Notify: accwms - C:\WINDOWS\system\accwms.dll (file missing)

      O20 - Winlogon Notify: infoap - C:\WINDOWS\system32\IAS\infoap.dll (file missing)

      O20 - Winlogon Notify: keyodbc - C:\WINDOWS\system\keyodbc.dll (file missing)

      O20 - Winlogon Notify: netcr - C:\WINDOWS\Config\netcr.dll (file missing)

      O20 - Winlogon Notify: svrmc - C:\WINDOWS\MICROS~1.NET\svrmc.dll (file missing)

      O20 - Winlogon Notify: sysodbc - C:\WINDOWS\Cursors\sysodbc.dll (file missing)

      O20 - Winlogon Notify: taskad - C:\WINDOWS\AppPatch\taskad.dll (file missing)

      O20 - Winlogon Notify: tasklog - C:\WINDOWS\AppPatch\tasklog.dll (file missing)

      O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)

      O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

      O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe (file missing)


      Reboot to Safe Mode, search for and delete the following files or folders:

      C:\Program Files\MsMovies\
      winlogi.exe


      It would be advisable to disable System Restore and flush any restore points and to carry out full AV and malware checks.
      « Last Edit: February 23, 2006, 06:56:35 PM by Backdated »
      Logged
      Pages: [1]   Go Up
      « previous next »