HijackThislog (empty computer?)

Avie · #1 (**permalink**) 29-08-2005, 08:48 PM

Logfile of HijackThis v1.99.1
Scan saved at 3:49:32 PM, on 8/29/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\SYSTEM\KERNEL32.DLL
D:\WINDOWS\SYSTEM\MSGSRV32.EXE
D:\WINDOWS\SYSTEM\MPREXE.EXE
D:\WINDOWS\SYSTEM\mmtask.tsk
D:\WINDOWS\SYSTEM\DDHELP.EXE
D:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
D:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
D:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
D:\WINDOWS\SYSTEM\DEVLDR16.EXE
D:\WINDOWS\EXPLORER.EXE
D:\WINDOWS\SYSTEM\RPCSS.EXE
D:\WINDOWS\SYSTEM\3CMLNKW.EXE
D:\WINDOWS\SYSTEM\STIMON.EXE
D:\WINDOWS\SYSTEM\SYSTRAY.EXE
D:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
D:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
D:\WINDOWS\SYSTEM\WMIEXE.EXE
D:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
D:\WINDOWS\SYSTEM\RNAAPP.EXE
D:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\INSTALL\HIJACKTHIS.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = IE
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [3Cmlink] D:\WINDOWS\SYSTEM\3cmlnkW.exe
O4 - HKLM\..\Run: [StillImageMonitor] D:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [avast! Web Scanner] D:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\Run: [ashMaiSv] D:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\Run: [SmcService] D:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\Run: [ScanRegistry] D:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\RunServices: [KB891711] D:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [avast!] D:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKLM\..\RunServices: [SmcService] D:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O15 - Trusted Zone: http://*.update.microsoft.com
O15 - Trusted Zone: http://*.windowsupdate.com

owen · #2 (**permalink**) 01-09-2005, 05:17 PM

Hiya,
Are you having any specific problems? If its just a checkup, then its all clean. I can't see anything nasty in that log.

You also appear to be protected as well, you have Spybot S&D, Avast and Sygate installed. Its useful to have some constantly running spyware protection aswell. Spybot has another module called the TeaTimer which can be activated to constantly protect your PC. Heres instructions on how to enable it from another site:

"Simply startup Spybot by double clicking the icon on your desktop. On the menu bar select "Mode" then select "Advanced Mode", read the dialog box and click "Yes". In the menu on the left near the bottom you'll see a bar labelled "Tools" which you should click on. Now you're presented with various options but the one we're dealing with right now is the one called "Resident". When you click on Resident you see two check boxes, one labelled SDHelper and the other TeaTimer. For TeaTimer make sure that there's a checkmark in the box and it'll be enabled so you should see a new icon in the bottom right near your clock, officially called the notification area as of Windows XP."

Avie · #3 (**permalink**) 03-09-2005, 05:23 PM

Owen, Thank you for going above and beyond helping me with Spybot. I used ot have teatimer, but reinstalled and missed it. Thanks Avie
PS I ahve amnay problems but am working with your site one at a time Bless youawl! Avie

Avie · #4 (**permalink**) 03-09-2005, 06:02 PM

Owen,
Spybot Teatimer immediatly picked up the trojan in HJT: O4 - HKLM\..Run: [ScanRegietry} D:Windows\scanregw.exe/ autorun.

I have killed the StillImageMonitor.

RE: HJT 09's. I do not know what all the extra Tools, and buttons are.

My first complaint was my regiestry was set back to April when I tried a registry restore.

When Teatimer reports I cannot read the bottom of the popup. ?Script error. Am I support to allow or do anything to accept or deny changes?

Thank you Avie

DJNafey · #5 (**permalink**) 04-09-2005, 11:27 PM

Don't know why TeaTimer picked up the Windows registry scan wizard as a trojan - it's not a problem. Doesn't do any harm to remove it but it might give you less capability to restore registry backups (someone else here may understand more about how it works than me).

The extra toolbar buttons showing up as 09s are also not a problem - standard Internet Explorer toolbar options plus a legitimate IE component from Sun for running JavaScript on web sites

owen · #6 (**permalink**) 05-09-2005, 04:00 PM

It didn't detect it as a Trojan, Spybot just flags new entries that are added to the registry that wishes to run when the computer runs. Spybot doesn't know whether they are legitimate or not. Its what you have to decide.

Avie · #7 (**permalink**) 05-09-2005, 10:27 PM

Following up Teatimer SpyBot S&D stating HJT 09 scanregw.exe as trojan. The info given when I highlighted said it was a trojan Scanreg. is the OK one. I removed so I cannot Give you any other info about it. There seem sto be somny like alikes to trick us. Appreciatly, Avie

Avie · #8 (**permalink**) 05-09-2005, 10:35 PM

see latest HJS

* HijackThis v1.99.1 *
Written by Merijn - merijn@spywareinfo.com
http://www.merijn.org/files/hijackthis.zip
http://www.merijn.org/index.html

See bottom for version history.

The different sections of hijacking possibilities have been separated into the following groups.
You can get more detailed information about an item by selecting it from the list of found items OR highlighting the relevant line below, and clicking 'Info on selected item'.

R - Registry, StartPage/SearchPage changes
R0 - Changed registry value
R1 - Created registry value
R2 - Created registry key
R3 - Created extra registry value where only one should be
F - IniFiles, autoloading entries
F0 - Changed inifile value
F1 - Created inifile value
F2 - Changed inifile value, mapped to Registry
F3 - Created inifile value, mapped to Registry
N - Netscape/Mozilla StartPage/SearchPage changes
N1 - Change in prefs.js of Netscape 4.x
N2 - Change in prefs.js of Netscape 6
N3 - Change in prefs.js of Netscape 7
N4 - Change in prefs.js of Mozilla
O - Other, several sections which represent:
O1 - Hijack of auto.search.msn.com with Hosts file
O2 - Enumeration of existing MSIE BHO's
O3 - Enumeration of existing MSIE toolbars
O4 - Enumeration of suspicious autoloading Registry entries
O5 - Blocking of loading Internet Options in Control Panel
O6 - Disabling of 'Internet Options' Main tab with Policies
O7 - Disabling of Regedit with Policies
O8 - Extra MSIE context menu items
O9 - Extra 'Tools' menuitems and buttons
O10 - Breaking of Internet access by New.Net or WebHancer
O11 - Extra options in MSIE 'Advanced' settings tab
O12 - MSIE plugins for file extensions or MIME types
O13 - Hijack of default URL prefixes
O14 - Changing of IERESET.INF
O15 - Trusted Zone Autoadd
O16 - Download Program Files item
O17 - Domain hijack
O18 - Enumeration of existing protocols and filters
O19 - User stylesheet hijack
O20 - AppInit_DLLs autorun Registry value, Winlogon Notify Registry keys
O21 - ShellServiceObjectDelayLoad (SSODL) autorun Registry key
O22 - SharedTaskScheduler autorun Registry key
O23 - Enumeration of NT Services

W98SE Avie

DJNafey · #9 (**permalink**) 06-09-2005, 05:31 AM

Thanks Avie. I had not seen that list of categories before - that's useful to have

Do you still need help with the script error on the Teatimer report?

Avie · #10 (**permalink**) 06-09-2005, 06:22 AM

I woudl love to fix script error on SB S&D's teatimer popup registry change window. Icannot red the bottom right or all the rest of hte three boxes. All the rest is OK. By the way I let the teatimer deny a reg change that I wanted to allow. I do not know how to reverse it now. (Teatimer). Thanks for hanging in there. Avie