0

I have been hijacked! this is my HijackThis log, I have no idea what to do with it!

Logfile of HijackThis v1.97.7

Scan saved at 9:55:49 AM, on 6/04/04

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\RPCSS.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\LOADQM.EXE

C:\WINDOWS\TASKMON.EXE

C:\PROGRAM FILES\IOMEGA\DRIVEICONS\IMGICON.EXE

C:\WINDOWS\ptsnoop.exe

C:\WINDOWS\RUNDLL32.EXE

C:\WINDOWS\SYSTEM\RNAAPP.EXE

C:\PROGRAM FILES\NETSHOW SERVICES\TOOLS\REXPROXY.EXE

C:\PROGRAM FILES\ECLINIC SECURE MEDICAL SERVICES CLIENT\CLIENT.EXE

C:\WINDOWS\SYSTEM\TAPISRV.EXE

C:\PROGRAM FILES\SAMSUNG\DIGIMAX VIEWER 1.0\DIGIMAXVIEWER.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\PROGRAM FILES\FILEMAKER\FILEMAKER PRO 5\FILEMAKER PRO.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#23648

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#23648

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#23648

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape.com/home/winsearch200.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#23648

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mshp.dll/index.html#23648

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://mshp.dll/sp.html#23648

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://127.0.0.1:8080/proxyconf

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar_en_2.0.108-deleon.dll

O2 - BHO: . - {587DBF2D-9145-4c9e-92C2-1F953DA73773} - C:\WINDOWS\APPLICATION DATA\MSAF\MSAF.DLL

O2 - BHO: (no name) - {FD9BC004-8331-4457-B830-4759FF704C22} - C:\WINDOWS\APPLICATION DATA\MSAF\MSIESH.DLL

O2 - BHO: ShowSearch module - {E2DDF680-9905-4dee-8C64-0A5DE7FE133C} - C:\WINDOWS\APPLICATION DATA\MSAF\MSSEARCH.DLL

O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E79D4EC6F806} - C:\PROGRAM FILES\SUBMIT\SUBMITHOOK.DLL

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar_en_2.0.108-deleon.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [SystemTray] SysTray.Exe

O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp

O4 - HKLM\..\Run: [PE2CKFNT SE] D:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET

O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe

O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

O4 - HKLM\..\Run: [CountrySelection] pctptt.exe

O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe

O4 - HKLM\..\Run: [Image] rundll32 C:\WINDOWS\IMAGE.DLL,Install

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [DisableEHCI] C:\WINDOWS\NoUSB20.EXE

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINDOWS\IMAGE.DLL,Install

O4 - Startup: eClinic Secure Medical Services Client.lnk = C:\Program Files\eClinic Secure Medical Services Client\client.exe

O4 - Startup: Billminder.lnk = C:\QUICKENW\billmind.exe

O4 - Startup: Digimax Viewer 1.0.lnk = C:\Program Files\Samsung\Digimax Viewer 1.0\DigimaxViewer.exe

O4 - Global Startup: NetShow PowerPoint Helper.lnk = C:\Program Files\NetShow Services\Tools\nsppthlp.exe

O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add

O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.108-DELEON.DLL/cmsearch.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.108-DELEON.DLL/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.108-DELEON.DLL/cmsimilar.html

O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.108-DELEON.DLL/cmbacklinks.html

O8 - Extra context menu item: Translate into English - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.108-DELEON.DLL/cmtrans.html

O9 - Extra button: Net2Phone (HKLM)

O9 - Extra 'Tools' menuitem: Net2Phone (HKLM)

O9 - Extra button: Telstra Usage Meter (HKLM)

O9 - Extra 'Tools' menuitem: Telstra Usage Meter (HKLM)

O12 - Plugin for .ai: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll

O13 - WWW. Prefix: http://

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.norton.com/sa/common/common/bin/cabsa.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37948.7480208333

O16 - DPF: {5445BE81-B796-11D2-B931-002018654E2E} (MeadCo Security Manager) - http://wcs00180.egain.net/wcsapp/weblib/Javascript/messaging/ie/SecMgr.cab

O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livesc03.rightnowtech.com/telstralivechat/telstralivechat/rnt/rnl/java/RntX.cab

3
Contributors
5
Replies
6
Views
13 Years
Discussion Span
Last Post by nez
0

You have a CWS infection. Download CWShredder from http://209.133.47.200/~merijn/files/CWShredder.exe & run it. Select the fix button & it will get rid of everything related to CoolWebSearch. Close ALL other programs including IE before running CWShredder.

Download & instal Adaware from http://majorgeeks.com/download.php?det=506
& update it B4 scanning.
In settings under 'scanning,' have it set to
'scan within archives,'
'scan active processes,'
'scan registry,'
'deepscan registry'
'scan my IE Favourites for banned URL's,'
'scan my host's file.'
Also in tweaks under 'cleaning engine' set it to 'Automatically try to unregister objects prior to deletion.'
Remove what it finds by placing a check in the box to the left of the object.
Download & instal Spybot S&D from http://www.safer-networking.org/index.php?page=download Update it B4 scanning.
After the scan is complete, have spybot fix everything marked RED.
On the page that first opens when you start Spybot there is an option to immunise, you should do this. In the immunise section there is also a link to download Spywareblaster. Download that & you can keep it updated by selecting the same link that you use to download it.
Reboot after doing this & post another log please.

0

Thanks! I did all you said and this is my new log:


Logfile of HijackThis v1.97.7
Scan saved at 15:59:28 PM, on 7/04/04

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\RPCSS.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\LOADQM.EXE

C:\WINDOWS\TASKMON.EXE

C:\PROGRAM FILES\IOMEGA\DRIVEICONS\IMGICON.EXE

C:\WINDOWS\ptsnoop.exe

C:\WINDOWS\RUNDLL32.EXE

C:\PROGRAM FILES\ECLINIC SECURE MEDICAL SERVICES CLIENT\CLIENT.EXE

C:\PROGRAM FILES\NETSHOW SERVICES\TOOLS\REXPROXY.EXE

C:\PROGRAM FILES\SAMSUNG\DIGIMAX VIEWER 1.0\DIGIMAXVIEWER.EXE

C:\WINDOWS\SYSTEM\RNAAPP.EXE

C:\WINDOWS\SYSTEM\TAPISRV.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\WINDOWS\SYSTEM\PSTORES.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\PROGRAM FILES\FILEMAKER\FILEMAKER PRO 5\FILEMAKER PRO.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\PROGRAM FILES\POWERARCHIVER\POWERARC.EXE

C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape.com/home/winsearch200.html

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://127.0.0.1:8080/proxyconf

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar_en_2.0.108-deleon.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar_en_2.0.108-deleon.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [SystemTray] SysTray.Exe

O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET

O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe

O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

O4 - HKLM\..\Run: [CountrySelection] pctptt.exe

O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [DisableEHCI] C:\WINDOWS\NoUSB20.EXE

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKCU\..\Run: [Spyware-Cop] "C:\PROGRAM FILES\SPYWARE-COP\SPYWARE-COP.EXE" /s

O4 - Startup: eClinic Secure Medical Services Client.lnk = C:\Program Files\eClinic Secure Medical Services Client\client.exe

O4 - Startup: Billminder.lnk = C:\QUICKENW\billmind.exe

O4 - Startup: Digimax Viewer 1.0.lnk = C:\Program Files\Samsung\Digimax Viewer 1.0\DigimaxViewer.exe

O4 - Global Startup: NetShow PowerPoint Helper.lnk = C:\Program Files\NetShow Services\Tools\nsppthlp.exe

O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add

O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.108-DELEON.DLL/cmsearch.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.108-DELEON.DLL/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.108-DELEON.DLL/cmsimilar.html

O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.108-DELEON.DLL/cmbacklinks.html

O8 - Extra context menu item: Translate into English - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.108-DELEON.DLL/cmtrans.html

O9 - Extra button: Net2Phone (HKLM)

O9 - Extra 'Tools' menuitem: Net2Phone (HKLM)

O9 - Extra button: Telstra Usage Meter (HKLM)

O9 - Extra 'Tools' menuitem: Telstra Usage Meter (HKLM)

O12 - Plugin for .ai: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll

O13 - WWW. Prefix: http://

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.norton.com/sa/common/common/bin/cabsa.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37948.7480208333

O16 - DPF: {5445BE81-B796-11D2-B931-002018654E2E} (MeadCo Security Manager) - http://wcs00180.egain.net/wcsapp/weblib/Javascript/messaging/ie/SecMgr.cab

O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livesc03.rightnowtech.com/telstralivechat/telstralivechat/rnt/rnl/java/RntX.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

0

I did all you said and this is my new log:

There's a couple of others that will be useful to remove. Have only HjT running and remove these entries:

O4 - HKLM\..\Run: [LoadQM] loadqm.exe
Microsoft "trickleware"--potential spyware. Causes slowdowns.

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
Never very useful and no longer needed.

I also recommend that you update your Acrobat Reader from v5.0 to v6.0.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.