|
| ||
| Hijack this log I have been hijacked! this is my HijackThis log, I have no idea what to do with it! Logfile of HijackThis v1.97.7 Scan saved at 9:55:49 AM, on 6/04/04 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\RPCSS.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\LOADQM.EXE C:\WINDOWS\TASKMON.EXE C:\PROGRAM FILES\IOMEGA\DRIVEICONS\IMGICON.EXE C:\WINDOWS\ptsnoop.exe C:\WINDOWS\RUNDLL32.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\PROGRAM FILES\NETSHOW SERVICES\TOOLS\REXPROXY.EXE C:\PROGRAM FILES\ECLINIC SECURE MEDICAL SERVICES CLIENT\CLIENT.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\PROGRAM FILES\SAMSUNG\DIGIMAX VIEWER 1.0\DIGIMAXVIEWER.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\PROGRAM FILES\FILEMAKER\FILEMAKER PRO 5\FILEMAKER PRO.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\WINDOWS\TEMP\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#23648 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#23648 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#23648 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape.com/home/winsearch200.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#23648 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mshp.dll/index.html#23648 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://mshp.dll/sp.html#23648 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://127.0.0.1:8080/proxyconf R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar_en_2.0.108-deleon.dll O2 - BHO: . - {587DBF2D-9145-4c9e-92C2-1F953DA73773} - C:\WINDOWS\APPLICATION DATA\MSAF\MSAF.DLL O2 - BHO: (no name) - {FD9BC004-8331-4457-B830-4759FF704C22} - C:\WINDOWS\APPLICATION DATA\MSAF\MSIESH.DLL O2 - BHO: ShowSearch module - {E2DDF680-9905-4dee-8C64-0A5DE7FE133C} - C:\WINDOWS\APPLICATION DATA\MSAF\MSSEARCH.DLL O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E79D4EC6F806} - C:\PROGRAM FILES\SUBMIT\SUBMITHOOK.DLL O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar_en_2.0.108-deleon.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp O4 - HKLM\..\Run: [PE2CKFNT SE] D:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe O4 - HKLM\..\Run: [CountrySelection] pctptt.exe O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe O4 - HKLM\..\Run: [Image] rundll32 C:\WINDOWS\IMAGE.DLL,Install O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [DisableEHCI] C:\WINDOWS\NoUSB20.EXE O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINDOWS\IMAGE.DLL,Install O4 - Startup: eClinic Secure Medical Services Client.lnk = C:\Program Files\eClinic Secure Medical Services Client\client.exe O4 - Startup: Billminder.lnk = C:\QUICKENW\billmind.exe O4 - Startup: Digimax Viewer 1.0.lnk = C:\Program Files\Samsung\Digimax Viewer 1.0\DigimaxViewer.exe O4 - Global Startup: NetShow PowerPoint Helper.lnk = C:\Program Files\NetShow Services\Tools\nsppthlp.exe O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.108-DELEON.DLL/cmsearch.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.108-DELEON.DLL/cmcache.html O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.108-DELEON.DLL/cmsimilar.html O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.108-DELEON.DLL/cmbacklinks.html O8 - Extra context menu item: Translate into English - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.108-DELEON.DLL/cmtrans.html O9 - Extra button: Net2Phone (HKLM) O9 - Extra 'Tools' menuitem: Net2Phone (HKLM) O9 - Extra button: Telstra Usage Meter (HKLM) O9 - Extra 'Tools' menuitem: Telstra Usage Meter (HKLM) O12 - Plugin for .ai: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll O13 - WWW. Prefix: http:// O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.norton.com/sa/commo.../bin/cabsa.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...948.7480208333 O16 - DPF: {5445BE81-B796-11D2-B931-002018654E2E} (MeadCo Security Manager) - http://wcs00180.egain.net/wcsapp/web.../ie/SecMgr.cab O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livesc03.rightnowtech.com/tel.../java/RntX.cab |
| ||
| Re: Hijack this log You have a CWS infection. Download CWShredder from http://209.133.47.200/~merijn/files/CWShredder.exe & run it. Select the fix button & it will get rid of everything related to CoolWebSearch. Close ALL other programs including IE before running CWShredder. Download & instal Adaware from http://majorgeeks.com/download.php?det=506 & update it B4 scanning. In settings under 'scanning,' have it set to 'scan within archives,' 'scan active processes,' 'scan registry,' 'deepscan registry' 'scan my IE Favourites for banned URL's,' 'scan my host's file.' Also in tweaks under 'cleaning engine' set it to 'Automatically try to unregister objects prior to deletion.' Remove what it finds by placing a check in the box to the left of the object. Download & instal Spybot S&D from http://www.safer-networking.org/index.php?page=download Update it B4 scanning. After the scan is complete, have spybot fix everything marked RED. On the page that first opens when you start Spybot there is an option to immunise, you should do this. In the immunise section there is also a link to download Spywareblaster. Download that & you can keep it updated by selecting the same link that you use to download it. Reboot after doing this & post another log please. |
| ||
| Re: Hijack this log Thanks! I did all you said and this is my new log: Logfile of HijackThis v1.97.7 Scan saved at 15:59:28 PM, on 7/04/04 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\RPCSS.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\LOADQM.EXE C:\WINDOWS\TASKMON.EXE C:\PROGRAM FILES\IOMEGA\DRIVEICONS\IMGICON.EXE C:\WINDOWS\ptsnoop.exe C:\WINDOWS\RUNDLL32.EXE C:\PROGRAM FILES\ECLINIC SECURE MEDICAL SERVICES CLIENT\CLIENT.EXE C:\PROGRAM FILES\NETSHOW SERVICES\TOOLS\REXPROXY.EXE C:\PROGRAM FILES\SAMSUNG\DIGIMAX VIEWER 1.0\DIGIMAXVIEWER.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\WINDOWS\SYSTEM\PSTORES.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\PROGRAM FILES\FILEMAKER\FILEMAKER PRO 5\FILEMAKER PRO.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\PROGRAM FILES\POWERARCHIVER\POWERARC.EXE C:\WINDOWS\TEMP\HIJACKTHIS.EXE R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape.com/home/winsearch200.html R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://127.0.0.1:8080/proxyconf R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar_en_2.0.108-deleon.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar_en_2.0.108-deleon.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe O4 - HKLM\..\Run: [CountrySelection] pctptt.exe O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [DisableEHCI] C:\WINDOWS\NoUSB20.EXE O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKCU\..\Run: [Spyware-Cop] "C:\PROGRAM FILES\SPYWARE-COP\SPYWARE-COP.EXE" /s O4 - Startup: eClinic Secure Medical Services Client.lnk = C:\Program Files\eClinic Secure Medical Services Client\client.exe O4 - Startup: Billminder.lnk = C:\QUICKENW\billmind.exe O4 - Startup: Digimax Viewer 1.0.lnk = C:\Program Files\Samsung\Digimax Viewer 1.0\DigimaxViewer.exe O4 - Global Startup: NetShow PowerPoint Helper.lnk = C:\Program Files\NetShow Services\Tools\nsppthlp.exe O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.108-DELEON.DLL/cmsearch.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.108-DELEON.DLL/cmcache.html O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.108-DELEON.DLL/cmsimilar.html O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.108-DELEON.DLL/cmbacklinks.html O8 - Extra context menu item: Translate into English - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.108-DELEON.DLL/cmtrans.html O9 - Extra button: Net2Phone (HKLM) O9 - Extra 'Tools' menuitem: Net2Phone (HKLM) O9 - Extra button: Telstra Usage Meter (HKLM) O9 - Extra 'Tools' menuitem: Telstra Usage Meter (HKLM) O12 - Plugin for .ai: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll O13 - WWW. Prefix: http:// O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.norton.com/sa/commo.../bin/cabsa.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...948.7480208333 O16 - DPF: {5445BE81-B796-11D2-B931-002018654E2E} (MeadCo Security Manager) - http://wcs00180.egain.net/wcsapp/web.../ie/SecMgr.cab O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livesc03.rightnowtech.com/tel.../java/RntX.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab |
| ||
| Re: Hijack this log Have only HJT running & fix this entry= O13 - WWW. Prefix: http:// All clear then. |
| ||
| Re: Hijack this log Quote:
O4 - HKLM\..\Run: [LoadQM] loadqm.exe Microsoft "trickleware"--potential spyware. Causes slowdowns. O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe Never very useful and no longer needed. I also recommend that you update your Acrobat Reader from v5.0 to v6.0. |
| ||
| Re: Hijack this log THANKS so much! |
| All times are GMT -4. The time now is 7:17 am. |
Forum system based on vBulletin Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
©2003 - 2009 DaniWeb® LLC