Hijackthis log help!

slyaccord · Apr 1, 2004

ok well this is a computer from my school, been having a lot of problems with it, ran spybot and adware and panda online virus scanner, a student screwed this computer up but heres the hijack this log. thanks guys!

Logfile of HijackThis v1.97.7
Scan saved at 12:01:19 PM, on 4/1/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\PROGRAM FILES\COMMON FILES\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\NOVELL\CLIENT32\NWRECMSG.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IGFXTRAY.EXE
C:\WINDOWS\SYSTEM\HKCMD.EXE
C:\WINDOWS\SYSTEM\DPMW32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\SYSTEM\SAHAGENT.EXE
C:\WINDOWS\SYSTEM\MSBB.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\PROGRAM FILES\VBOUNCER\VIRTUALBOUNCER.EXE
C:\PROGRAM FILES\ADDESTROYER\ADDESTROYER.EXE
C:\MY DOCUMENTS\HIJACKTHIS1977\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=99
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ccboe.com/
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\SYSTEM\IAICM.DLL
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\BI.DLL
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O2 - BHO: (no name) - {00000580-C637-11D5-831C-00105AD6ACF0} - C:\WINDOWS\MSVIEW.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\SYSTEM\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\SYSTEM\hkcmd.exe
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\SYSTEM\dpmw32.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Norton AntiVirus\vptray.exe
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\SYSTEM\SahAgent.exe
O4 - HKLM\..\Run: [msbb] C:\WINDOWS\SYSTEM\MSBB.EXE
O4 - HKLM\..\Run: [JZD] C:\WINDOWS\JZD.exe
O4 - HKLM\..\Run: [PJSM] C:\WINDOWS\PJSM.exe
O4 - HKLM\..\Run: [BSILYPS] C:\WINDOWS\BSILYPS.exe
O4 - HKLM\..\Run: [KOBIVIY] C:\WINDOWS\KOBIVIY.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\SYSTEM\DP-O13M09.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Workstation Scheduler] C:\novell\client32\wm95.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\Program Files\Norton AntiVirus\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\Program Files\Norton AntiVirus\defwatch.exe
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\RunServices: [ctfmon.exe] ctfmon.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBouncer.exe
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37642.3454976852
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/219f3b7f42c32afe2f20/netzip/RdxIE601.cab
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} (F1 Organizer Class) - http://www.netpaloffers.net/NetpalOffers/DMO1/IAicm.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

starwaves77 · Apr 1, 2004

Hi,
There are several things happening here. First, glad to see your running Spybot & Adware, update those programs online and run again because they should not be missing the spyware that is still on this machine, so do that first. Run both programs while online, then click for 'updates', in addition to them, download Spy Sweeper, the free trial, run it and delete everything it finds with it's scan,

There are a couple spyware who are linked with your 'winsock' connection (Msbb.exe & SAHagent) and have the ability to break your internet connection, they need to be removed carefully and you should have a backup ready in case you develop a connection problem, that backup is the Lspfix file, download it here LSPFIX.EXE , and have it handy, this doesn't mean you will lose your connection, just be ready,

Go to your control panel / addremove programs and locate 'ShopAtHomeSelectAgent' , '180Solutions' , or 'Ncase' , 'VIRTUAL BOUNCER' & 'AdDESTROYER' .......click on them, then select 'remove' , if it's not successful, then try in 'safe mode'

Go to .. C: / Windows / Downloaded Program Files folder, and delete the 'SAHUninstall.exe' file. Using 'find' search for "SahAgent.log" with quotations, delete it,

SAHagent is an LSP and is intrinsically connected to your winsock, the above files are safe to remove, Spybot & Spysweeper will get the rest,

For safe mode:
Reboot pc, immediately tap the F8 key, when menu appears, choose 'safe mode' using your up and down arrow keys, now go to add/remove programs and try the uninstall,

While your in safe mode, check for this folder, go to > Program Files\Common Files\Updater , this is the parent folder of your 'Wupdater.exe' spyware, once found delete it,

Also, there is a whole section of 'unkown' exe files that are either a virus/trojan/keylogger , starting with the 04 section that begins with JZD.exe through DP-O13M09.EXE , they will need further investigation if they remain after Hijack, for starters disable them from startup using your msconfig, see bottom of post,

Use this TD3 TROJAN REMOVER , to work over that battery of exe files in your 04, considering so many 'unkowns' in that section, this is a high priority download,

-------------------

Run Hijack again, select all the following by putting a check mark next to them, then click on the FIX button to remove them,

C:\PROGRAM FILES\COMMON FILES\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE

C:\WINDOWS\SYSTEM\SAHAGENT.EXE

C:\WINDOWS\SYSTEM\MSBB.EXE

C:\PROGRAM FILES\ADDESTROYER\ADDESTROYER.EXE

R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)

O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\SYSTEM\IAICM.DLL

O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\BI.DLL

O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL

O2 - BHO: (no name) - {00000580-C637-11D5-831C-00105AD6ACF0} - C:\WINDOWS\MSVIEW.DLL

O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\SYSTEM\SahAgent.exe
O4 - HKLM\..\Run: [msbb] C:\WINDOWS\SYSTEM\MSBB.EXE

O4 - HKLM\..\Run: [JZD] C:\WINDOWS\JZD.exe
O4 - HKLM\..\Run: [PJSM] C:\WINDOWS\PJSM.exe
O4 - HKLM\..\Run: [BSILYPS] C:\WINDOWS\BSILYPS.exe
O4 - HKLM\..\Run: [KOBIVIY] C:\WINDOWS\KOBIVIY.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\SYSTEM\DP-O13M09.EXE

O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBouncer.exe

O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/219f3b7f42c32a...ip/RdxIE601.cab
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} (F1 Organizer Class) - http://www.netpaloffers.net/NetpalOffers/DMO1/IAicm.cab

--------------

Also run all of these online scans, they are heavy on finding trojans:
Ravantivirus Scan
Bit Defender Scan
Black Code Scan

-------

While in 'Safe Mode",
Go to start / run / msconfig
Disable these process's by unchecking them,
dnxf.exe
ddmb.exe
msbb.exe

Uncheck ALL of these, if seen>
JZD.exe
PJSM.exe
BSILYPS.exe
KOBIVIY.exe
DP-O13M09.EXE
MOSEARCH.EXE

That barrage of exe/trojans is very strange, use the online scans and updated Spybot programs, TD3 trojan hunter first to take them out, after that you may have to remove them directly from the registry, try the programs first,

Couriant · Apr 1, 2004

REGCLEANER can help you remove the entries from the startup list in MSCONFIG.

Hijackthis log help!

slyaccord

starwaves77

Couriant

Top Contributors this Month