0

here is my scan from Hijack this. Any help would be greatly appreciated. Thank you soo much

Logfile of HijackThis v1.98.2
Scan saved at 11:56:58 PM, on 3/11/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\CTHELPER.EXE
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINNT\System32\hphmon04.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\WINNT\java\apms.exe
C:\WINNT\system32\mfcow.exe
C:\WINNT\javaxt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\WINNT\System32\wininet.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://aflashcounter.com/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://aflashcounter.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\qndil.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\qndil.dll/sp.html#12345
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/187/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\qndil.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\qndil.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\qndil.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://kon4ay.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\qndil.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://kon4ay.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\qndil.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://aflashcounter.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {E64A8D57-5B8E-70A0-E126-AAF3AC375A04} - C:\WINNT\msoi.dll
O2 - BHO: CATLEvents Object - {FF4D5071-EE0E-4DCA-BC1C-D776B0F2276E} - C:\DOCUME~1\Owner\LOCALS~1\Temp\smpa.dat
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINNT\System32\hphmon04.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ComcastSUPPORT] C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start
O4 - HKLM\..\Run: [Desksite CMA] C:\Program Files\desksite\bin\cma.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [wmiexe] C:\WINNT\System32\wmiexe32.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [*mscr] C:\WINNT\addins\mscr.exe
O4 - HKLM\..\Run: [*unnut] C:\WINNT\java\Packages\unnut.exe
O4 - HKLM\..\Run: [*srvap] C:\WINNT\Fonts\srvap.exe
O4 - HKLM\..\Run: [*wmfc] C:\WINNT\Help\SBSI\wmfc.exe
O4 - HKLM\..\Run: [*accabr] C:\WINNT\java\Packages\accabr.exe
O4 - HKLM\..\Run: [*acms] C:\WINNT\Speech\acms.exe
O4 - HKLM\..\Run: [*mceula] C:\WINNT\Tasks\mceula.exe
O4 - HKLM\..\Run: [*psbak] C:\WINNT\Help\psbak.exe
O4 - HKLM\..\Run: [*oletask] C:\WINNT\system32\IME\PINTLGNT\oletask.exe
O4 - HKLM\..\Run: [*wjava] C:\WINNT\Cursors\wjava.exe
O4 - HKLM\..\Run: [*imgc] C:\WINNT\Fonts\imgc.exe
O4 - HKLM\..\Run: [*faxdisk] C:\WINNT\Tasks\faxdisk.exe
O4 - HKLM\..\Run: [*sdll] C:\WINNT\Fonts\sdll.exe
O4 - HKLM\..\Run: [*log] C:\WINNT\AppPatch\log.exe
O4 - HKLM\..\Run: [*ipkb] C:\WINNT\Speech\ipkb.exe
O4 - HKLM\..\Run: [mfcow.exe] C:\WINNT\system32\mfcow.exe
O4 - HKLM\..\Run: [3D4.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\3D4.tmp.exe 5 10001
O4 - HKLM\..\Run: [4CE612F6] C:\WINNT\system32\luislmst.exe
O4 - HKLM\..\Run: [AD1A9046] C:\WINNT\system32\wotfgm.exe
O4 - HKLM\..\Run: [D36C61C6] C:\WINNT\system32\afkqgy.exe
O4 - HKLM\..\Run: [F62C0BFE] C:\WINNT\system32\ATHEUIufpe.exe
O4 - HKLM\..\Run: [AA69F1D6] C:\WINNT\system32\mzintf.exe
O4 - HKLM\..\Run: [F182CE56] C:\WINNT\system32\qyoctiv.exe
O4 - HKLM\..\Run: [C03BAC5E] C:\WINNT\system32\tmnxh.exe
O4 - HKLM\..\Run: [AB84C973] C:\WINNT\system32\htapwiosr.exe
O4 - HKLM\..\Run: [FB605876] C:\WINNT\system32\dptiack.exe
O4 - HKLM\..\Run: [SearchAssistant] "C:\Q92194.exe "
O4 - HKLM\..\Run: [CDAFCC53] C:\WINNT\system32\pidisc.exe
O4 - HKLM\..\Run: [D73B21CE] C:\WINNT\system32\svcqnq.exe
O4 - HKLM\..\Run: [A0BD4A53] C:\WINNT\system32\axiasq.exe
O4 - HKLM\..\Run: [8B99944E] C:\WINNT\system32\bozwot.exe
O4 - HKLM\..\Run: [F3E2FE5B] C:\WINNT\system32\friosmk.exe
O4 - HKLM\..\Run: [AB62C6DE] C:\WINNT\system32\xexblbr.exe
O4 - HKLM\..\Run: [CC43448B] C:\WINNT\system32\cluadlh.exe
O4 - HKLM\..\Run: [FFF241E3] C:\WINNT\system32\aaamapildp.exe
O4 - HKLM\..\Run: [FCB8764B] C:\WINNT\system32\qyovnlqn.exe
O4 - HKLM\..\Run: [8D8E8A46] C:\WINNT\system32\dhtagg.exe
O4 - HKLM\..\Run: [FB5FCDF3] C:\WINNT\system32\6to4dlhctr.exe
O4 - HKLM\..\Run: [B7E0B10E] C:\WINNT\system32\o4dimfdbad.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunOnce: [*apms] C:\WINNT\java\apms.exe rerun
O4 - HKLM\..\RunOnce: [javaxt.exe] C:\WINNT\javaxt.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MyKeys] "C:\Program Files\mfk\MFK.EXE" /M
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe"
O4 - HKCU\..\Run: [wininet] C:\WINNT\System32\wininet.exe
O4 - HKCU\..\Run: [ESPN BottomLine] C:\Program Files\ESPN\BottomLine\bline.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [4CE612F6] C:\WINNT\system32\luislmst.exe
O4 - HKCU\..\Run: [AD1A9046] C:\WINNT\system32\wotfgm.exe
O4 - HKCU\..\Run: [D36C61C6] C:\WINNT\system32\afkqgy.exe
O4 - HKCU\..\Run: [F62C0BFE] C:\WINNT\system32\ATHEUIufpe.exe
O4 - HKCU\..\Run: [AA69F1D6] C:\WINNT\system32\mzintf.exe
O4 - HKCU\..\Run: [F182CE56] C:\WINNT\system32\qyoctiv.exe
O4 - HKCU\..\Run: [C03BAC5E] C:\WINNT\system32\tmnxh.exe
O4 - HKCU\..\Run: [AB84C973] C:\WINNT\system32\htapwiosr.exe
O4 - HKCU\..\Run: [FB605876] C:\WINNT\system32\dptiack.exe
O4 - HKCU\..\Run: [CDAFCC53] C:\WINNT\system32\pidisc.exe
O4 - HKCU\..\Run: [D73B21CE] C:\WINNT\system32\svcqnq.exe
O4 - HKCU\..\Run: [A0BD4A53] C:\WINNT\system32\axiasq.exe
O4 - HKCU\..\Run: [8B99944E] C:\WINNT\system32\bozwot.exe
O4 - HKCU\..\Run: [F3E2FE5B] C:\WINNT\system32\friosmk.exe
O4 - HKCU\..\Run: [AB62C6DE] C:\WINNT\system32\xexblbr.exe
O4 - HKCU\..\Run: [CC43448B] C:\WINNT\system32\cluadlh.exe
O4 - HKCU\..\Run: [FFF241E3] C:\WINNT\system32\aaamapildp.exe
O4 - HKCU\..\Run: [FCB8764B] C:\WINNT\system32\qyovnlqn.exe
O4 - HKCU\..\Run: [8D8E8A46] C:\WINNT\system32\dhtagg.exe
O4 - HKCU\..\Run: [FB5FCDF3] C:\WINNT\system32\6to4dlhctr.exe
O4 - HKCU\..\Run: [B7E0B10E] C:\WINNT\system32\o4dimfdbad.exe
O4 - HKCU\..\RunOnce: [*WinLogon] C:\WINNT\Web\vgacat.exe ren my_time:1110598317
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: TFTP2180
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\AIM95_c0\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - blank (file missing)
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\GameClient.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: ComcastHSI - {68F460C0-DB60-4E5E-919C-F0CC4CC859C2} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Help - {7BDDEB8F-DA99-4A05-86B8-AF15D262D8AA} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {F2B2E116-47F1-486C-AD38-BC27F76AC912} - http://www.comcastsupport.com (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.093qpeuqpmz6ebfa.com
O15 - Trusted Zone: http://*.0texkax7c6hzuidk.com
O15 - Trusted Zone: http://*.69sexsearch.com
O15 - Trusted Zone: http://*.afendis.de
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: http://*.rapid-pass.net
O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} - http://download.sidestep.com/get/k22675/sb026.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20020713/qtinstall.info.apple.com/samantha/us/win/QuickTimeInstaller.exe
O16 - DPF: {8EF27A70-DD04-11D6-B7F6-00A0C9CD5F8A} - http://www.quikshield.com/qshsetup.exe
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/hitthepros03/foxsports/wtinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {C001EF8E-E4D3-4B1A-BDD5-3541C2D6F675} (WRI.MachineAuth) - https://pos.wirelessretailinc.com/onepoint50/WRIMachineAuth.CAB
O16 - DPF: {CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.3.1_02) - https://kronos.wirelessretailinc.com/wfc/plugins/j2re-1_3_1_02-win.exe
O16 - DPF: {D670D0B3-05AB-4115-9F87-D983EF1AC747} - http://pak02.pictures.aol.com/ygp/aol/plugin/download/YGPPicDownload.en-US.9.1.6.18.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_3_0.cab
O16 - DPF: {FE5B9F54-7764-4C01-89F0-4862601EE954} (DigWebHelper Class) - http://photos.msn.com/resources/neutral/controls/DigWebX2.cab?10,0,910,0
O17 - HKLM\System\CCS\Services\Tcpip\..\{00432299-0F61-4A79-907E-A5D487FC600F}: NameServer = 69.50.176.196,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{218C2BDB-531A-4FA4-BB4C-DB690FA26468}: NameServer = 69.50.176.196,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{281D9B23-BC77-4EB7-BA50-BBCBE82BC160}: NameServer = 69.50.176.196,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{2C63B4D9-DE98-4B25-BEAE-4E6D2A5F5332}: NameServer = 69.50.176.196,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{70A207DF-57A7-4F3C-AC50-835FDCEC8897}: NameServer = 69.50.176.196,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{88B863F6-082D-4172-B2E1-773745D224D9}: NameServer = 69.50.176.196,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{99C82808-F90B-4887-9FFA-3DC14519299E}: NameServer = 69.50.176.196,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{C9AB0C52-66CD-46DB-9FC1-32FC4D6342FF}: NameServer = 69.50.176.196,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{EFFDDB23-DF72-4A8A-B30A-40C776F94F66}: NameServer = 69.50.176.196,195.225.176.37
O17 - HKLM\System\CS1\Services\Tcpip\..\{00432299-0F61-4A79-907E-A5D487FC600F}: NameServer = 69.50.176.196,195.225.176.37
O17 - HKLM\System\CS2\Services\Tcpip\..\{00432299-0F61-4A79-907E-A5D487FC600F}: NameServer = 69.50.176.196,195.225.176.37

3
Contributors
2
Replies
3
Views
12 Years
Discussion Span
Last Post by dlh6213
0

Hi. First of all you need to update hijackthis to version 1.99.1. Run hijackthis & go to *Config\Misc Tools\Check for update on-line*. If the site is down, go here and download the selfextracting zip version. Remove the old version by opening the program, going to config\misc tools, then uninstall & exit. You then have to delete the file manually. Unzip the new version into the hijackthis folder, or in the case of the self-extracting version, it will self install into your Program Files folder.

Go here to TrendMicro for an on-line scan & set it to autoclean for you. When it completes, post back the full filename of any files that cannot be cleaned or deleted.

Try this scan at Panda as well.

The scan here does not require an active X install, but uses java instead.
http://fr.trendmicro-europe.com/consumer/products/housecall_launch.php

Post a new log after doing the above and rebooting.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.