highjackthis log file

TheMSsForum.com: The Microsoft Software Forum

I ran highjackthis after some advice I recieved this is
the log file that it created, what do I do with this?

Logfile of HijackThis v1.97.7
Scan saved at 9:18:38 AM, on 1/25/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\WinHelp.exe
C:\WINNT\system32\internat.exe
C:\Program Files\AIM\aim.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\rundll32.exe
C:\PROGRA~1\WINZIP\wzqkpick.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\unzipped\hijackthis[1]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Page = http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Bar = http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Page = http://www.yahoo.com/search/ie.html
O2 - BHO: NavErrRedir Class - {0428FFC7-1931-45b7-95CB-
3CBB919777E1} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-
206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-
00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager]
mobsync.exe /logon
O4 - HKLM\..\Run: [WinHelp] C:\WINNT\system32\WinHelp.exe
O4 - HKLM\..\Run: [WinGate initialize] C:\WINNT\system32
\WinGate.exe -remoteshell
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program
files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [Remote Procedure Call Locator]
RUNDLL32.EXE reg678.dll ondll_reg
O4 - HKLM\..\Run: [Program In Windows] C:\WINNT\system32
\IEXPLORE.EXE
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program
Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program
Files\WinZip\WZQKPICK.EXE
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office
Update Installation Engine) -
http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update
Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl
.CAB?37990.6304976852
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
(Shockwave Flash Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/swf
lash.cab

thanks in advance
Top

Re: highjackthis log file by Dirk

Dirk
Sun Jan 25 11:17:13 CST 2004


"Jorge Preble" <jorgepreble@hotmail.com> schreef in bericht
news:391e01c3e357$a2660240$a101280a@phx.gbl...
> I ran highjackthis after some advice I recieved this is
> the log file that it created, what do I do with this?

Wrong place to post.
Must be here: http://forums.spywareinfo.com/


Top

Re: highjackthis log file by Kent

Kent
Sun Jan 25 21:10:58 CST 2004

Jorge Preble wrote:

I would delete this hanging reference:
> O2 - BHO: NavErrRedir Class - {0428FFC7-1931-45b7-95CB- 3CBB919777E1}
> - (no file)

This one is suspect:
> O4 - HKLM\..\Run: [WinHelp] C:\WINNT\system32\WinHelp.exe

Did you install WinGate or did some bug drop this on your system? If you
didn't install it, it's running as a trojan backdoor:
> O4 - HKLM\..\Run: [WinGate initialize] C:\WINNT\system32\WinGate.exe
> -remoteshell

This one is a bug:
> O4 - HKLM\..\Run: [Program In Windows] C:\WINNT\system32\IEXPLORE.EXE

Once HiJackThis has deleted the run keys, you should followup after a
reboot and delete the three files referenced.

If HiJackThis continues to indicate suspect files like these, then you
need more powerful removal tools, or you need to visit Windows Update
and download your missing critical updates and you need to tighten up
your browser security settings. I recommend Quik-Fix from www.pivx.com.

--
Kent W. England, Microsoft MVP for Windows Security
Top