Hijack This Results

**Cyto** · December 17th, 2003, 10:12 PM

hi there, i'm having a problem with this error that keeps shutting down my computer... its like a countdown and then i have to reset.. i just recently formatted my pc and it was still here after i reinstalled Win Xp.. i was told to post the results of my Hijack This program...

Logfile of HijackThis v1.97.7
Scan saved at 10:12:12 PM, on 12/17/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\DAP\DAP.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Documents and Settings\Dan\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SU B_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Run DAP (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...972.7419328704

**TripleRLtd** · December 17th, 2003, 11:21 PM

Originally Posted by Cyto

hi there, i'm having a problem with this error that keeps shutting down my computer... its like a countdown and then i have to reset.. i just recently formatted my pc and it was still here after i reinstalled Win Xp.. i was told to post the results of my Hijack This program...

Logfile of HijackThis v1.97.7
Scan saved at 10:12:12 PM, on 12/17/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\DAP\DAP.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Documents and Settings\Dan\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SU B_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Run DAP (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...972.7419328704

Welcome to Windriver Cyto.

Get rid of download accelerator, first.
Also, what error message exactly are you getting.
And, how did DAP end up on a newly reformatted PC?
I suggest also that you run Spybot and Adaware to get rid of other malware.
While HiJack this is truly useful...
More details always help.
Why did you have to format to begin with?
What problems were you having?
You see, it is NOT always just software related.

**emr** · December 18th, 2003, 02:07 AM

You've got the Blaster worm or a variant.

http://www.microsoft.com/technet/tre...n/MS03-026.asp

http://securityresponse.symantec.com...ster.worm.html

http://securityresponse.symantec.com...oval.tool.html

emr

**confus-ed** · December 18th, 2003, 05:42 AM

Originally Posted by emr

You've got the Blaster worm or a variant.

... classic symptoms

& Other stuff too

, use emr's links to get rid of 'blaster' first (that's what's causing the shutdowns), then follow tripleR's advice with spybot &/or adaware ... once you've removed all that lot, then repost with a new log & we'll see if there's any other malware or trojans lurking

**DocPC** · December 18th, 2003, 10:04 AM

I was the one that asked him to post here (from chat). He said he ran AV including online, Spybot, Adaware, etc.

Task manager does not show MSBLAST.exe.....

Just some more info to help ya out.

**TripleRLtd** · December 18th, 2003, 10:09 AM

Originally Posted by DocPC

I was the one that asked him to post here (from chat). He said he ran AV including online, Spybot, Adaware, etc.

Task manager does not show MSBLAST.exe.....

Just some more info to help ya out.

C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
They are right, though:
It's the variant: W32.Welchia worm
I missed it at first.
http://securityresponse.symantec.com...chia.worm.html

**emr** · December 18th, 2003, 10:17 AM

Originally Posted by TripleRLtd

C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
They are right, though:
It's the variant: W32.Welchia worm
I missed it at first.
http://securityresponse.symantec.com...chia.worm.html

I would have had a hard time believing it was anything else but Blaster or a variant with those symptoms. Still I've been known to be wrong before.

**DocPC** · December 18th, 2003, 10:23 AM

I wholeheartedly agree with you.....I told him that it was blaster or a variant as did everyone else there.

We can't post the Hijack this log in chat as it causes a flood or disappears too fast to read it well.

RRR seems to have it down to Welchia......I think so too.

**silencio** · December 18th, 2003, 12:45 PM

Deja Vu. Hijack This must be pretty popular.

**Cyto** · December 18th, 2003, 10:45 PM

Yeah, thx guys but to be honest the problem went away.. i think it was when i got a few tips off of some people at the Windrivers Chat.. i wish i could name them, but i don't remember... sorry guys/gals, but you know who you are... until i get another one of those errors i think i'll be fine keeping what i have and not f'n around... thx for all your help though

**TripleRLtd** · December 18th, 2003, 11:33 PM

Originally Posted by Cyto

Yeah, thx guys but to be honest the problem went away.. i think it was when i got a few tips off of some people at the Windrivers Chat.. i wish i could name them, but i don't remember... sorry guys/gals, but you know who you are... until i get another one of those errors i think i'll be fine keeping what i have and not f'n around... thx for all your help though

GO CHAT!!!
I always knew!!!!
You GO guys and gals!!!

Thread: Hijack This Results

Thread Tools

Display

Hijack This Results

Yeah, i fixed it... or so i think

Bookmarks

Bookmarks

Posting Permissions