PDA

View Full Version : Hi - Here is my HJT log



flybye55
2005-12-02, 19:35
Logfile of HijackThis v1.99.1
Scan saved at 18:31:40, on 02.12.2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAMME\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAMME\GEMEINSAME DATEIEN\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAMME\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAMME\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAMME\TOOLS&MORE\WINEXIT-PRO\WINEXIT.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAMME\FRNDSL\FRNDSL.EXE
C:\PROGRAMME\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\ANTISPYWARE\HIJACKTHIS.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.shareware.us/srchasst.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.freenet.de/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMME\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: metaspinner GmbH - {E9E027BF-C3F3-4022-8F6B-8F6D39A59684} - C:\Programme\Preispiraten3\Preispiraten3\IEButtonPPInterface.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAMME\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Natural Voice Reader - {BCBF738C-4891-4B9A-959A-C6BF7F608C3A} - C:\Programme\NaturalReader\FreeVersion\NVRIEBar.dll (file missing)
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ATIPOLL] ati2evxx.exe
O4 - HKLM\..\RunServices: [ATISmart] C:\WINDOWS\SYSTEM\ati2s9ag.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Programme\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Reboot.exe
O4 - Startup: Free NaturalReader.lnk = C:\Programme\NaturalReader\FreeVersion\FreeReader.exe
O4 - Global Startup: WinExit-Pro.lnk = C:\Programme\Tools&More\WinExit-Pro\WinExit.exe
O8 - Extra context menu item: &Preispiratensuche nach markiertem Text - C:\\Programme\\Preispiraten3\\Preispiraten3\\preispiraten.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAMME\YAHOO!\COMMON\YHEXBMESDE.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAMME\YAHOO!\COMMON\YHEXBMESDE.DLL
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_05\bin\npjpi150_05.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programme\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} - http://gameadvisor.futuremark.com/global/msc37.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab

little eagle
2005-12-03, 17:56
What are you having trouble with:confused:

flybye55
2005-12-05, 13:49
What are you having trouble with:confused:

Hi - I had already written in another forum here that I constantly get a report in S&D (newest version etc.) for a registry entry relating to "commander.net" - which each time I "fix" using the S&D and the next time - even if only a day later it is back there?

Tashi responded to this other posting and suggested I :-

run a virus checker

run latester Version of S&D and

run and post a report from HJT:
which is what I have posted here.
I wrote a pm to Tashi letting him know I had posted the report here but have heard no more from him.

little eagle
2005-12-06, 02:28
Download, unzip and run 'RootkitRevealer' from Sysinternals:
http://www.sysinternals.com/Utilities/RootkitRevealer.html
Once the program has started, press Scan and let it run.
When the scan is done, use 'File > Save' to place the logfile in a convenient location (such as the desktop). The default filename will be 'RootkitReveal.txt'.

Copy/Paste the contecnts of that logfile into your next reply

Have not run ME to much I don't know if fast switching was available then
Click start > control panel > user accounts > change the way users log on or off > uncheck fast user switching > restart you computor.
To prevent as many False Positives 's from happening, and therefore causing lots of head scratching etc, it's wise to do the following -
Physically unplug the cable from the PC to the internet connection, and then you can move on to the next stage Safely.
Close down All Scheduling/Updating + Running Background tasks etc.
Launch + run RR and then do NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !
Save your Log File, and then Enable those things you closed down, or Reboot, and ONLY then Reconnect to the Internet.
That way you should have a much simpler and clearer log file in which to peruse and evaluate.

flybye55
2005-12-06, 11:54
[QUOTE=little eagle]Download, unzip and run 'RootkitRevealer' from Sysinternals:
http://www.sysinternals.com/Utilities/RootkitRevealer.html

Hi - Donīt get me wrong now - I really appreciate your help - but at the above site I read the following:

"..RootkitRevealer is an advanced patent-pending root kit detection utility. It runs on Windows NT 4 and higher and its output lists Registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit. .."

Considering I am running WinME I am more than a little worried about that statement: "...It runs on Windows NT 4 and higher....?"

Please advise further before I proceed?

Concerning the other matter...

There is a multi-user feature in WinME but it is not active in default condition and has not been activated on this machine.

little eagle
2005-12-06, 13:43
Sorry NTFS was not available with ME :rolleyes:

Please try this trojan scan (http://www.windowsecurity.com/trojanscan/)

flybye55
2005-12-06, 21:13
Sorry NTFS was not available with ME :rolleyes:

Please try this trojan scan (http://www.windowsecurity.com/trojanscan/)

OJK - but is there anything (-else) one can do about this constantly- recurring "CommanderNet" thing despite that it is apparently running in a WinME context?

flybye55
2005-12-06, 21:24
OJK - but is there anything (-else) one can do about this constantly- recurring "CommanderNet" thing despite that it is apparently running in a WinME context?


Ah ha - sorry I missed that with the "please try this trojan scan."

Will do it now and report back!

:)

flybye55
2005-12-06, 21:35
Ah ha - sorry I missed that with the "please try this trojan scan."

Will do it now and report back!

:)

Did the Trojanscan and it reported:

"Congratulations: no malware found."

<-which I suppose dosen`t alter the fact that S&D finds this CommanderNet reg.entry again and again.> :(

little eagle
2005-12-07, 02:06
One of the best features of Windows ME is the System Restore option, however if a virus infects a
computer with this operating system the virus can be backed up in the System Restore folder.
Therefore, clearing the restore points is necessary after a virus removal.

To reset your restore points, please note that you will need to log into your computer with an account,
which has full administrator access. You will know if the account has
administrator access because you will be able to see the System Restore tab.
If the tab is missing, you are logged in under a limited account.

Win ME
To disable System Restore:

1. Right-click My Computer, and then click Properties.
2. On the Performance tab, click File System, or press ALT+F.
3. On the Troubleshooting tab, click to select the Disable System Restore check box.
4. Click OK twice, and then click Yes when you are prompted to restart the computer.
5. To re-enable System Restore, follow steps 1-3, but in step 3, click to clear the Disable System Restore check box.


Then make a restore point to be sure that one hase been made.

Backup your Registry...
Click start > run > enter\type "regedit" (without quotes)
- Once Regedit opens click on the FILE menu and select Export
- Save the file as backup. Save the file somewhere you will remember and not delete.
IMPORTANT: make sure to set the export range to ALL

Then download RegSeeker http://www.hoverdesk.net/freeware.htm . Extract it to it's own folder, open and double click RegSeeker.exe to start the program. Maximize the window and click clean registry. Check all sections and click OK. When the scan is complete, verify the backup box in lower left corner is checked and click the select all button, then select all again. Then right click within the search results and select delete. Reboot and make sure your programs are working properly, control panel and add/remove programs windows open, etc (basically just do a quick check of everything). In the event anything was 'broken', you can open RegSeeker, click backups and double click any/all files to put the information back. A reboot may be required for the effects to be seen. Reboot When done.

flybye55
2005-12-08, 18:31
Thanks so much - followed the advice through and it seems to have done the trick! Finally a clean maschine!


Thanks again.

little eagle
2005-12-09, 06:26
Glad we could help :) I have Tashi close this thread.

tashi
2005-12-09, 12:07
As the problem appears to be resolved this topic will be archived.
If you need the topic reopened please pm me. Glad we could help. :)