HiJack Log WIN98SE, is it clean?

Hi,
Thought I would get it checked machine acting sluggish. When running SPYBOT I keep finding something called SearchForIt and i fix it but it keeps comeing back System comes up clean with AV all ad ware spyware scans, AT scan, CW Shredder... not sure whats causing it any help would be appreciated.



Logfile of HijackThis v1.97.7
Scan saved at 11:35:02 PM, on 9/4/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL\PERSFW.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\ptsnoop.exe
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\HIJACK\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [WordPerfect Office 1215] C:\PROGRAM FILES\WORDPERFECT OFFICE 12\PROGRAMS\REGISTRATION.EXE /title= "WordPerfect Office 12" /date=090904 serial=WS12WTX-9999998-UYR lang=EN
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [PersFw] "C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL\PERSFW.EXE "
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38220.8684143519
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

Thanks in advance,
~FIREDANCER~

 

Only thing I see is the HOSTS file entry. You also need to download the newest version of HJT. Post a new log when you get it.

 

Searchforit is currently a fasle possitive

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C109664B-CEB1-420B-B353-D55A561536DD}]
"Compatibility Flags "=dword:00000400

I have no idea what the purpose for it is, that Hosts entry gets install by
Trojan Hunter

 

Hello,

Thanks for the replys here is my new log with newer version of Hijack your help is appreciated

Regards,
~FIREDANCER~

Logfile of HijackThis v1.98.2
Scan saved at 9:00:57 AM, on 9/5/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL\PERSFW.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\ptsnoop.exe
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\HIJACK\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [WordPerfect Office 1215] C:\PROGRAM FILES\WORDPERFECT OFFICE 12\PROGRAMS\REGISTRATION.EXE /title= "WordPerfect Office 12" /date=090904 serial=WS12WTX-9999998-UYR lang=EN
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [PersFw] "C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL\PERSFW.EXE "
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

 

You should scan again and fix the following entries, but in reality, all are optional.

O1 - Hosts: 64.91.255.87 www.dcsresearch.com <<< useless HOSTS file....click the link....takes you to a search page
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe <<< Country Selection task for PCTEL Modems. This background program is installed with PCTEL modem drivers. It enables you to set the country in which you are using your PCTEL modem. As such, therefore, it is only needed once, when you first install your modem. per AnswersThatWork
O4 - HKLM\..\Run: [WordPerfect Office 1215] C:\PROGRAM FILES\WORDPERFECT OFFICE 12\PROGRAMS\REGISTRATION.EXE /title= "WordPerfect Office 12" /date=090904 serial=WS12WTX-9999998-UYR lang=EN <<< Really need to register Word Perfect every time you startup?

Log is otherwise clean, and as Lonny noted, the SearchForIt is apparently a false positive.

 

You ARE missing an entry though!!

That is a startup entry for ScanRegistry. If you UNselected it, reselect it. This program backs up your registry on the first boot of the day.

 

Maybe useless to the PC owner but if you have that hosts file entry, clicking that link will take you to a completely different page than clicking the link if you don't.


http://64.91.255.87/ allows download of several DiamondCS (DCS) software apps including one Trojan killer so that's where the www.dcsresearch.com link would direct Firedancer rather than the search page the rest of us would see.

 

Thanks for straightening me out on that Newt.

 

Hello,

was there a goof somewhere? I did as directed and re downloaded newer version and fixxed suggestions. I do use Diamond software and I am wondering now if there will be a problem by fixxing the O1 - Hosts: 64.91.255.87 www.dcsresearch.com. Can someone please clarify?

Regards,
~FIREDANCER~

 

Open HJT and click config, then backups. Select the HOSTS file entry and then restore. It does as Newt says and takes you to a download page for DCS, rather than a search page as it did for me without the entry.