« previous next »
Pages: 1 [2]

Author Topic: Do I enable all start-up programs for Hjt scan?  (Read 3739 times)

Offline smallclaimshammer

  • Newbie
  • *
  • Posts: 30
  • Karma: +0/-0
    • View Profile
Do I enable all start-up programs for Hjt scan?
« Reply #20 on: February 21, 2005, 09:56:35 PM »
Hello, gestolo,    Ran Killbox and removed files as instructed.  The very last ones took extra time.. my system slowed to a crawl.  Could not get cursor to move easily....Last entry was entered and killbox did not ask about reboot, I closed after a time through Ctrl-Alt-Delete...shutdown.  Ran VX2, deleted ok the one file shown.   Then ran Hoster...restored Hosts...OK.   ran DLL compare....see log to follow.  Ran VX2 again...no files found.    See Hijack This log .   Standing by to kill whats left.  Please advise on best settings / setups for Firefox if you have time.  Thanks JRT. Logfile of HijackThis v1.99.1
Scan saved at 7:36:00 PM, on 2/21/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\POPROXY.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\SUPPORT.COM\BIN\TGCMD.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\EXPLORER.EXE
C:\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thetechguide.com/forum/index.php?showtopic=13518
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - 3 - URLSearchHook: {FD0B1A83-4F7C-11D5-BD9C-000103C116D5} - (no file)
F1 - win.ini: run=C:\WINDOWS\HPFsched.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Norton eMail Protect] C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\POProxy.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NORTON~2\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [Norton CrashGuard Monitor] "C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CRASHGUARD\CGMenu.EXE"
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Startup: MRU-Blaster Scheduler.lnk = C:\Program Files\MRU-Blaster\scheduler.exe
O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326

*    DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM\mqc30.dll      Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
C:\WINDOWS\SYSTEM\jvvart.dll     Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
C:\WINDOWS\SYSTEM\wotdecod.dll   Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
C:\WINDOWS\SYSTEM\qjap.dll       Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
C:\WINDOWS\SYSTEM\mqidntld.dll   Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
C:\WINDOWS\SYSTEM\mawdat10.dll   Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
________________________________________________

794 items found:  794 files (6 H/S), 0 directories.
Total of file sizes:  156,110,723 bytes    148.88 M

--------------------End log---------------------
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Do I enable all start-up programs for Hjt scan?
« Reply #21 on: February 21, 2005, 10:08:21 PM »
Just helping someone with your same problem

Can you do this for me right now

Please copy and paste these instructions to an empty  Notepad file and leave it on your desktop and then Disconnect completely from the Internet
Open these instructions and leave them open until we have restarted your computer

Close down all other windows

Do another scan with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thetechguide.com/forum/index.php?showtopic=13518
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R3 - URLSearchHook: (no name) - 3 - URLSearchHook: {FD0B1A83-4F7C-11D5-BD9C-000103C116D5} - (no file)

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"

O4 - HKLM\..\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Run Pocket KillBox>>Now you have Killbox and this notepad file open
click on Tools --> Select Delete Temp Files. Click OK.
At the bottom right of the main screen, click on the down arrow to the left of the yellow triangle.
Select the following entry if running rundll32.exe
Now click the yellow triangle to End Task
There may be more than one running, end task on all of them

Again, in Killbox
At the main screen of Pocket Killbox, select the option: Delete on Reboot

In the Full Path of File to Delete box, copy and paste this entry:

C:\WINDOWS\SYSTEM\mqc30.dll

Press the button with a red circle and a white X
Click Yes to Delete on Reboot
IF asked if you would like to Reboot Now, select No.

Do the same for all these:

C:\WINDOWS\SYSTEM\jvvart.dll

C:\WINDOWS\SYSTEM\wotdecod.dll

C:\WINDOWS\SYSTEM\qjap.dll

C:\WINDOWS\SYSTEM\mqidntld.dll


Finally, in Full Path of File to Delete, copy and paste the following:

C:\WINDOWS\SYSTEM\mawdat10.dll

Press the button with a red circle and a white X.
If asked to Reboot, select Yes!!

Allow the system to Restart or restart anyways

When your back in Windows

Open Hoster and Restore original hosts

Also post back with a fresh hijackthis log

Sorry JRT, I'll let you know Firefox settings I have later
after we get you clean

EDIT>>JRT, instead of running DLLCompare and VX2 Finder could you
When your back in Windows
Download Findit9xme.zip
Unzip the contents and open the Findit9xMe folder
Double click on Findit9xme.bat
Wait for the log and post it back
« Last Edit: February 22, 2005, 02:06:27 AM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Pages: 1 [2]
« previous next »