Re: hijack.exe

From: Jerry (linc007-NO_SPAM_at_hotmail.com)
Date: 08/30/04

• Next message: teenz: "Antivirus not detected in XP SP2"
• Previous message: anonymous_at_discussions.microsoft.com: "Re: Stolen computer"
• In reply to: sandy: "hijack.exe"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 30 Aug 2004 19:49:33 GMT

In your running processes, every thing looks ok except:

C:\WINDOWS\system32\ntkb.exe (this is a bad one)
C:\WINDOWS\System32\rzlaci.exe (don't know what that is)
C:\WINDOWS\System32\jceaao.exe (don't know what that is)
C:\Documents and Settings\John\Application Data\bntw.exe (don't know what
that is)
C:\WINDOWS\VB.INI:mgmhi (don't know what that is)

The ones that are OK...set HijackThis to ignore them. The bad ones...set
HijackThis to fix them (probably should be in Safe mode to do this and also
check your Prefetch Directory for duplicates. The ones you're not sure
of...do a Google search on them, right click on the file in Widows Explorer
to see what properties the files have.

You should run a firewall, anti-virus, and download these freebies: Spybot
Search and destroy, Lavasoft's AdAware, SpywareBlaster, SpywareGuard, and
CWShredder. Do a Google to find them. Update those definitions regularly.

Maybe someone else can give you specifics about the registry items.

J

"sandy" <anonymous@discussions.microsoft.com> wrote in message
news:2ce701c48eb7$0532a120$a501280a@phx.gbl...
> Hi again. Just sent in a post about regedit. I ran
> HijackThis and it gave me a number of hings to fix, but
> don't know what needs to be left there and what needs to
> be fixed or deleted. Here is the log file:
>
> Logfile of HijackThis v1.97.7
> Scan saved at 11:22:19 AM, on 31/07/2004
> Platform: Windows XP SP1 (WinNT 5.01.2600)
> MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
>
> Running processes:
> C:\WINDOWS\System32\smss.exe
> C:\WINDOWS\system32\winlogon.exe
> C:\WINDOWS\system32\services.exe
> C:\WINDOWS\system32\lsass.exe
> C:\WINDOWS\system32\svchost.exe
> C:\WINDOWS\System32\svchost.exe
> C:\WINDOWS\system32\spoolsv.exe
> c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
> C:\WINDOWS\System32\svchost.exe
> C:\WINDOWS\wanmpsvc.exe
> C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
> C:\Program Files\Xerox\NWWia\XrxFTPLt.exe
> C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
> C:\Program Files\SED\SED.exe
> C:\Program Files\Real\RealPlayer\RealPlay.exe
> C:\WINDOWS\system32\ntkb.exe
> C:\Program Files\Common Files\Microsoft Shared\Works
> Shared\WkUFind.exe
> c:\PROGRA~1\mcafee.com\vso\mcshield.exe
> C:\WINDOWS\System32\hkcmd.exe
> C:\WINDOWS\System32\rzlaci.exe
> C:\Program Files\Roxio\Easy CD Creator 5
> \DirectCD\DirectCD.exe
> C:\WINDOWS\System32\jceaao.exe
> C:\Documents and Settings\John\Application Data\bntw.exe
> C:\Program Files\Digital Line Detect\DLG.exe
> C:\WINDOWS\VB.INI:mgmhi
> C:\WINDOWS\explorer.exe
> C:\HijackThis.exe
>
> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
> Bar = res://C:\WINDOWS\system32\mdfre.dll/sp.html#37794
> R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
> Page = http://www.google.ca
> R1 - HKCU\Software\Microsoft\Internet
> Explorer\Main,Default_Page_URL = http://www.dellnet.com
> R1 - HKCU\Software\Microsoft\Internet
> Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32
> \mdfre.dll/sp.html#37794
> R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
> Page = http://www.google.ca
> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
> Bar = res://C:\WINDOWS\system32\mdfre.dll/sp.html#37794
> R0 - HKCU\Software\Microsoft\Internet
> Explorer\Toolbar,LinksFolderName =
> O2 - BHO: (no name) - {8B2CEA01-7DD8-C720-D770-
> D6B11CBE5AAF} - C:\WINDOWS\system32\sdkgl.dll
> O4 - HKLM\..\Run: [MMTray] C:\Program
> Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
> O4 - HKLM\..\Run: [XeroxScannerDaemon] C:\Program
> Files\Xerox\NWWia\XrxFTPLt.exe
> O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1
> \mcafee.com\vso\mcvsshld.exe
> O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
> O4 - HKLM\..\Run: [RealTray] C:\Program
> Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
> O4 - HKLM\..\Run: [pnpsvc_lock] C:\WINDOWS\System32
> \748156.exe
> O4 - HKLM\..\Run: [ntkb.exe] C:\WINDOWS\system32\ntkb.exe
> O4 - HKLM\..\Run: [Microsoft Works Update Detection]
> C:\Program Files\Common Files\Microsoft Shared\Works
> Shared\WkUFind.exe
> O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1
> \mcafee.com\agent\McUpdate.exe
> O4 - HKLM\..\Run: [MCAgentExe] C:\Program
> Files\McAfee.com\Agent\mcagent.exe
> O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32
> \igfxtray.exe
> O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32
> \hkcmd.exe
> O4 - HKLM\..\Run: [dyptxw] C:\WINDOWS\System32\rzlaci.exe
> O4 - HKLM\..\Run: [BullsEye Network] C:\Program
> Files\BullsEye Network\bin\bargains.exe
> O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program
> Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
> O4 - HKCU\..\Run: [romahere] C:\WINDOWS\System32
> \matrixhere.exe
> O4 - HKCU\..\Run: [Qqs] C:\WINDOWS\System32\jceaao.exe
> O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft
> Money\System\mnyexpr.exe"
> O4 - HKCU\..\Run: [Coou] C:\Documents and
> Settings\John\Application Data\bntw.exe
> O4 - HKCU\..\Run: [Aida] C:\Documents and
> Settings\John\Application Data\ttuh.exe
> O4 - HKLM\..\RunOnce: [mgmhi] C:\WINDOWS\VB.INI:mgmhi
> O4 - Global Startup: AOL 7.0 Tray Icon.lnk = C:\Program
> Files\AOL 7.0\aoltray.exe
> O4 - Global Startup: Digital Line Detect.lnk = ?
> O4 - Global Startup: Microsoft Office.lnk = C:\Program
> Files\Microsoft Office\Office10\OSA.EXE
> O10 - Unknown file in Winsock LSP: c:\windows\system32
> \cdlsp.dll
> O10 - Unknown file in Winsock LSP: c:\windows\system32
> \cdlsp.dll
> O15 - Trusted Zone: *.05p.com
> O15 - Trusted Zone: *.clickspring.net
> O15 - Trusted Zone: *.greg-search.com
> O15 - Trusted Zone: *.mt-download.com
> O15 - Trusted Zone: *.my-internet.info
> O15 - Trusted Zone: *.scoobidoo.com
> O15 - Trusted Zone: *.searchmiracle.com
> O17 - HKLM\System\CCS\Services\Tcpip\..\{08931827-2CFB-
> 4E6E-AAE0-4C7A55826368}: NameServer =
> 216.126.103.27,198.235.200.134
> O17 - HKLM\System\CS1\Services\Tcpip\..\{08931827-2CFB-
> 4E6E-AAE0-4C7A55826368}: NameServer =
> 216.126.103.27,198.235.200.134
> O17 - HKLM\System\CS2\Services\Tcpip\..\{08931827-2CFB-
> 4E6E-AAE0-4C7A55826368}: NameServer =
> 216.126.103.27,198.235.200.134
>
> thanks again and i apologize if i sent it to the wrong
> newsgroup
> Sandy

• Next message: teenz: "Antivirus not detected in XP SP2"
• Previous message: anonymous_at_discussions.microsoft.com: "Re: Stolen computer"
• In reply to: sandy: "hijack.exe"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: How do i get rid of EETU.exe and all of its registry entries ... Logfile of HijackThis v1.97.7 ... Running processes: ... (alt.comp.anti-virus) Re: Passwords to open all websites for Childrens limitations ... The parental control feature could be what you ... SpywareBlaster ... direct download: ... HijackThis ... (microsoft.public.windowsxp.security_admin) Re: unable to reset default home page ... > we have a pc that when click on internet explorer C:\windows\secure.html ... Run the HiJackThis first, then run the others while you ... Also install the SpywareBlaster to ... (microsoft.public.windows.inetexplorer.ie6.browser) Re: about:blank page - where is this setting? ... SpywareBlaster is a preventer not a remover. ... but the coolweb thing just comes back after a reboot. ... > I will try downloading HijackThis, though I'm losing so much time on ... (microsoft.public.windows.inetexplorer.ie6.browser) Re: OT: Virus infection WAS Re: Computer Statement Usage ... >received was run hijackthis, ... >>are registry hooks involved. ... Download AdAware, update it to the latest version, then run it. ... >>monitoring the ports and running processes. ... (comp.lang.cobol)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint