IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice

hijack this log please help

815 Views 1 Reply 2 Participants Last post by buckaroo, Apr 12, 2004

motbot

Discussion Starter · Apr 12, 2004

Hi,
I'm running Win98, have Macafee Virus Scan, It found and deleted a Klez worm. Spybot and Adaware are no longer finding anything either. However, the home page is changed and I had to run regedit restore to a previous registry backup in order to go anywhere online. Here's the hijack this log. Can someone look at it and see what I need to do?

thank you very much,

motbot

Logfile of HijackThis v1.97.7
Scan saved at 11:08:35 AM, on 4/12/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\ISO DEFAULT FOUR\KINDSECTINTRA.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCMNHDLR.EXE
C:\PROGRAM FILES\MCAFEE.COM\SHARED\MGHTML.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bellsouth.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6711
O1 - Hosts: 204.244.184.143 SafeWeb.com
O1 - Hosts: 204.244.184.143 WWW.SafeWeb.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\REAL\TOOLBAR\REALBAR.DLL
O2 - BHO: (no name) - {817B893E-2F3A-E0FD-56DC-C101005BA8ED} - C:\windows\system\cbwszbnb.dll (file missing)
O2 - BHO: (no name) - {09D874AB-BF21-3BEC-DB9D-D0921BB368F5} - C:\windows\system\wdpvtvel.dll (file missing)
O2 - BHO: (no name) - {0C5A9520-C9A3-0DC1-4055-406EC1222613} - C:\PROGRAM FILES\WIPE TIME CDROM\HIDE ENC.DLL
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Ford Move Phone - {19AFCD0E-085B-5ED6-A03D-6A43497564B0} - C:\PROGRAM FILES\WIPE TIME CDROM\HIDE ENC.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [Noun Poke] C:\PROGRA~1\ISODEF~1\kindsectintra.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\McAgent.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://centraone.stanford.edu/main/Install/en/US/CentraDownloader.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/026ad4f7202f894fff06/netzip/RdxIE601.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38014.3308217593
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net

See less See more

Save

Status: Not open for further replies.

1 - 1 of 2 Posts

buckaroo

· #2 · Apr 12, 2004

Hi motbot, welcome to TSG.

Close your browser, check the following two entries in HJT, click fix and reboot.

O1 - Hosts: 204.244.184.143 SafeWeb.com
O1 - Hosts: 204.244.184.143 WWW.SafeWeb.com

I can't find any info on these entries:

O2 - BHO: (no name) - {817B893E-2F3A-E0FD-56DC-C101005BA8ED} - C:\windows\system\cbwszbnb.dll (file missing)

O2 - BHO: (no name) - {09D874AB-BF21-3BEC-DB9D-D0921BB368F5} - C:\windows\system\wdpvtvel.dll (file missing)

O2 - BHO: (no name) - {0C5A9520-C9A3-0DC1-4055-406EC1222613} - C:\PROGRAM FILES\WIPE TIME CDROM\HIDE ENC.DLL

O3 - Toolbar: Ford Move Phone - {19AFCD0E-085B-5ED6-A03D-6A43497564B0} - C:\PROGRAM FILES\WIPE TIME CDROM\HIDE ENC.DLL

They may be legit, I don't know. You can have HJT remove them. If you need them restored, HJT backs up whatever you fix and you can restore them if you need them.

See less See more

Save

1 - 1 of 2 Posts

Status: Not open for further replies.

Top Contributors this Month