Page 2 - Hijack This Log - Help Needed

Dev Shed Forums Sponsor:

Get inside! Sample the range of functionality easily built with JMSL Library for Time Series Data Analysis, Heat Maps, Portfolio Optimization, Monte Carlo Simulation, Stock Price Charting and more. Download Now!

#16

August 6th, 2004, 07:16 PM

JVIikel

Registered User

Join Date: Jan 2004

Posts: 20

Time spent in forums: < 1 sec
Reputation Power: 0

Logfile of HijackThis v1.98.1
Scan saved at 5:16:00 PM, on 8/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\WINNT\system32\scagent.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\WINNT\System32\wuauclt.exe
C:\Documents and Settings\Michael Jensen\Desktop\hijackthis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Michael Jensen\Desktop\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O18 - Filter: text/html - {EE7A946E-61FA-4979-87B8-A6C462E6FA62} - C:\WINNT\digfilt.dll

#17

August 7th, 2004, 11:59 AM

Grinler

Contributing User

Join Date: Feb 2004

Posts: 171

Time spent in forums: 4 h 24 m 5 sec
Reputation Power: 5

Copy the text in the quote box below to notepad. Name the file nofilter.reg and change the save as type to all All files. Then save the file to the desktop.

Quote:

REGEDIT4

[-HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
[-HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
[-HKEY_CLASSES_ROOT\CLSID\{EE7A946E-61FA-4979-87B8-A6C462E6FA62}]

Then double click on the nofilter.reg file and press yes if it asks if you would like to merge it.

Reboot to safe mode, and delete the following file:

C:\WINNT\digfilt.dll

Reboot into normal mode and post a new log

#18

August 7th, 2004, 02:06 PM

JVIikel

Registered User

Join Date: Jan 2004

Posts: 20

Time spent in forums: < 1 sec
Reputation Power: 0

Alright I did the nofilter.reg step and went into safe mode and deleted the digfilt.dll file, but it still shows up in the log (and is still on the system). I'm not sure if it's supposed to be like this, but there are two more files that are similarly named:
1) digfilt2.dll
2) digfilt2.dll1

Here's the new log:

Logfile of HijackThis v1.98.1
Scan saved at 12:02:06 PM, on 8/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\WINNT\system32\scagent.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Documents and Settings\Michael Jensen\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/security/default.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O18 - Filter: text/html - {EE7A946E-61FA-4979-87B8-A6C462E6FA62} - C:\WINNT\digfilt.dll

#19

August 8th, 2004, 02:27 PM

Grinler

Contributing User

Join Date: Feb 2004

Posts: 171

Time spent in forums: 4 h 24 m 5 sec
Reputation Power: 5

Please download this file to your desktop and extract the file from the zip onto your desktop. Then run the vbs file and post the contents of the notepad that will appear as a response to this message.

It can be downloaded from here:

http://www.computercops.biz/modules.php?na...ownload&id=2239

#20

August 14th, 2004, 09:33 PM

JVIikel

Registered User

Join Date: Jan 2004

Posts: 20

Time spent in forums: < 1 sec
Reputation Power: 0

These are the Current Active Services:

APACHE2: Apache2
"C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice

ATI HOTKEY POLLER: Ati HotKey Poller
C:\WINNT\System32\Ati2evxx.exe

WINDOWS AUDIO: AudioSrv
C:\WINNT\System32\svchost.exe -k netsvcs

COMPUTER BROWSER: Browser
C:\WINNT\System32\svchost.exe -k netsvcs

CRYPTOGRAPHIC SERVICES: CryptSvc
C:\WINNT\system32\svchost.exe -k netsvcs

DHCP CLIENT: Dhcp
C:\WINNT\System32\svchost.exe -k netsvcs

LOGICAL DISK MANAGER: dmserver
C:\WINNT\System32\svchost.exe -k netsvcs

ERROR REPORTING SERVICE: ERSvc
C:\WINNT\System32\svchost.exe -k netsvcs

COM+ EVENT SYSTEM: EventSystem
C:\WINNT\System32\svchost.exe -k netsvcs

FAST USER SWITCHING COMPATIBILITY: FastUserSwitchingCompatibility
C:\WINNT\System32\svchost.exe -k netsvcs

HELP AND SUPPORT: helpsvc
C:\WINNT\System32\svchost.exe -k netsvcs

SERVER: lanmanserver
C:\WINNT\System32\svchost.exe -k netsvcs

WORKSTATION: lanmanworkstation
C:\WINNT\System32\svchost.exe -k netsvcs

NETWORK CONNECTIONS: Netman
C:\WINNT\System32\svchost.exe -k netsvcs

NETWORK LOCATION AWARENESS (NLA): Nla
C:\WINNT\System32\svchost.exe -k netsvcs

REMOVABLE STORAGE: NtmsSvc
C:\WINNT\system32\svchost.exe -k netsvcs

TASK SCHEDULER: Schedule
C:\WINNT\System32\svchost.exe -k netsvcs

SECONDARY LOGON: seclogon
C:\WINNT\System32\svchost.exe -k netsvcs

SYSTEM EVENT NOTIFICATION: SENS
C:\WINNT\system32\svchost.exe -k netsvcs

SHELL HARDWARE DETECTION: ShellHWDetection
C:\WINNT\System32\svchost.exe -k netsvcs

SYSTEM RESTORE SERVICE: srservice
C:\WINNT\System32\svchost.exe -k netsvcs

TERMINAL SERVICES: TermService
C:\WINNT\System32\svchost.exe -k netsvcs

THEMES: Themes
C:\WINNT\System32\svchost.exe -k netsvcs

DISTRIBUTED LINK TRACKING CLIENT: TrkWks
C:\WINNT\system32\svchost.exe -k netsvcs

UPLOAD MANAGER: uploadmgr
C:\WINNT\System32\svchost.exe -k netsvcs

WINDOWS TIME: W32Time
C:\WINNT\System32\svchost.exe -k netsvcs

WINDOWS MANAGEMENT INSTRUMENTATION: winmgmt
C:\WINNT\system32\svchost.exe -k netsvcs

AUTOMATIC UPDATES: wuauserv
C:\WINNT\system32\svchost.exe -k netsvcs

WIRELESS ZERO CONFIGURATION: WZCSVC
C:\WINNT\System32\svchost.exe -k netsvcs

C-DILLACDAC11BA: C-DillaCdaC11BA
C:\WINNT\System32\drivers\CDAC11BA.EXE

DNS CLIENT: Dnscache
C:\WINNT\System32\svchost.exe -k NetworkService

EVENT LOG: Eventlog
C:\WINNT\system32\services.exe

PLUG AND PLAY: PlugPlay
C:\WINNT\system32\services.exe

TCP/IP NETBIOS HELPER: LmHosts
C:\WINNT\System32\svchost.exe -k LocalService

REMOTE REGISTRY: RemoteRegistry
C:\WINNT\system32\svchost.exe -k LocalService

SSDP DISCOVERY SERVICE: SSDPSRV
C:\WINNT\System32\svchost.exe -k LocalService

WEBCLIENT: WebClient
C:\WINNT\System32\svchost.exe -k LocalService

IPSEC SERVICES: PolicyAgent
C:\WINNT\System32\lsass.exe

PROTECTED STORAGE: ProtectedStorage
C:\WINNT\system32\lsass.exe

SECURITY ACCOUNTS MANAGER: SamSs
C:\WINNT\system32\lsass.exe

REMOTE PROCEDURE CALL (RPC): RpcSs
C:\WINNT\system32\svchost -k rpcss

SECURITY AGENT: scagent
"C:\WINNT\system32\scagent.exe" start

PRINT SPOOLER: Spooler
C:\WINNT\system32\spoolsv.exe

WINDOWS IMAGE ACQUISITION (WIA): stisvc
C:\WINNT\System32\svchost.exe -k imgsvc

STYLEXPSERVICE: StyleXPService
"C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe"

#21

August 15th, 2004, 09:42 PM

Grinler

Contributing User

Join Date: Feb 2004

Posts: 171

Time spent in forums: 4 h 24 m 5 sec
Reputation Power: 5

Launch Notepad, and copy and paste the contents of the quote box below into a new text file.

Save it as file name: "fixme.reg" (not including the quotes). Save as file type: All files (*.*) and save it on your Desktop.

Quote:

REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Classes\PROTOCOLS\Filter\text/html]
[-HKEY_CLASSES_ROOT\Protocols\Filter\text/html]
[-HKEY_CLASSES_ROOT\CLSID\{EE7A946E-61FA-4979-87B8-A6C462E6FA62}]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\scagent
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\scagent]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\scagent]

Then, locate fixme.reg on your Desktop and double-click on it.
You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer 'Yes' and wait for a message to appear similar to "Merged Successfully".

Reboot your computer into safe mode and delete the following file:

C:\WINNT\system32\scagent.exe

Reboot into normal mode and post a brand new log

#22

August 24th, 2004, 01:01 PM

JVIikel

Registered User

Join Date: Jan 2004

Posts: 20

Time spent in forums: < 1 sec
Reputation Power: 0

Logfile of HijackThis v1.98.2
Scan saved at 11:00:38 AM, on 8/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINNT\System32\RUNDLL32.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Michael Jensen\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 203.129.224.118:8000
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O18 - Filter: text/html - {EE7A946E-61FA-4979-87B8-A6C462E6FA62} - C:\WINNT\digfilt.dll

#23

August 26th, 2004, 10:49 AM

Grinler

Contributing User

Join Date: Feb 2004

Posts: 171

Time spent in forums: 4 h 24 m 5 sec
Reputation Power: 5

You did run that reg file right?

Also give me another getservices log as I need to make sure the service is gone

Thread Tools	Search this Thread
Email this Page	Search this Thread: Advanced Search
Display Modes	Rate This Thread
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode	Rate This Thread: