Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

OK. Here's the highjack log AFTER using


  • This topic is locked This topic is locked
9 replies to this topic

#1 idjutt

idjutt

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:03:30 PM

Posted 19 May 2004 - 01:28 AM

appreciated. I'm a novice at the computer so PLEASE type S L O W L Y!

Seriously, most of this stuff flys over my head. Here's my log. I hope it entertains you. I suspect a moderating weasel at a site I visit (subguns) messed up my Firefox Browser. Every time I try to use Firefox it loads some damn site and will only return back to it no matter what I type. At the bottom of this is Adaware's quarantined stuff. Some of it is very graphic so I've XXX'd some out. I've no idea how to remove this crap. Thanks for your time!

Idjutt

Logfile of HijackThis v1.97.7
Scan saved at 10:59:13 PM, on 5/18/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFALERT.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\GAME CONTROLLERS\COMMON\SWTRAYV4.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\SIERRA IMAGING\IMAGE EXPERT 2000\IXAPPLET.EXE
C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-AWARE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\QWICKCONNECT\DIALER.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://drudgereport.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://usseek.net/qwickconnect
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://usseek.net/qwickconnect
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~8\GAMECO~1\COMMON\SWTRAYV4.EXE
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE"
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [iedll] C:\WINDOWS\iedll.exe
O4 - HKCU\..\Run: [Adaware Bootup] C:\PROGRAM FILES\LAVASOFT AD-AWARE\AD-AWARE.EXE /Auto /Log "C:\PROGRAM FILES\LAVASOFT AD-AWARE\"
O4 - Startup: MICROSOFT OFFICE.LNK = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: MICROSOFT WORKS CALENDAR REMINDERS.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: CAMIO VIEWER 3.2.LNK = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: Dell Home (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.dellnet.com/
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0) -
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://proxify.com/nph-proxy.cgi/111111A/6...22f73772e636162
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/0210315bd9d748f42d04/...ip/RdxIE601.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...s/yinst0401.cab


Adaware's stuff
ArchiveData(auto-quarantine- 18-05-2004 21-41-31.bckp)
======================================================

ALEXA

obj[0]=RegKey : SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}

CRONTEL LTD

obj[1]=RegKey : SOFTWARE\DiallerProgram
obj[22]=Folder : c:\program files\DiallerProgram
obj[34]=File : c:\program files\diallerprogram\028125.exe
obj[35]=File : c:\program files\log.txt

DOWNLOADWARE

obj[2]=RegKey : SOFTWARE\DownloadWare
obj[3]=RegKey : SOFTWARE\Microsoft\Windows\CurrentVersion\uninstall\MediaLoads Installer
obj[36]=File : c:\windows\digital signature 20020616.htm

EACCELERATION

obj[4]=RegKey : MSEaid.Gd\GLSID
obj[23]=RegKey : MSEaid.Gd

HI-WIRE

obj[5]=RegKey : CLSID\{28f00b04-dc4e-11d3-abec-005004a44eeb}
obj[6]=RegKey : CLSID\{28f00b20-dc4e-11d3-abec-005004a44eeb}
obj[7]=RegKey : CLSID\{28f00b21-dc4e-11d3-abec-005004a44eeb}
obj[8]=RegKey : hiwire.configurator
obj[9]=RegKey : hiwire.configurator.1
obj[10]=RegKey : hiwire.transportcenter
obj[11]=RegKey : hiwire.transportcenter.1
obj[12]=RegKey : hiwire.userregrequest
obj[13]=RegKey : hiwire.userregrequest.1
obj[14]=RegKey : Software\HIWIRE
obj[37]=File : c:\windows\downloaded program files\hwutils.dll
obj[38]=File : c:\windows\downloaded program files\hwaudio.dll
obj[39]=File : c:\windows\downloaded program files\hwmedia.exe

COMMONNAME

obj[15]=RegValue : Software\Microsoft\Windows\CurrentVersion\Explorer
obj[16]=RegValue : Software\Microsoft\Windows\CurrentVersion\Explorer
obj[24]=RegValue : Software\Microsoft\Windows\CurrentVersion\Run

COOLWEBSEARCH

obj[17]=RegValue : SOFTWARE\Microsoft\Internet Explorer\Main
obj[25]=RegValue : Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
obj[40]=File : c:\windows\favorites\links\!!! exclusive youngest porn !!!.url
obj[41]=File : c:\windows\favorites\links\80 old daddies brutally XXXXX their daughters.url
obj[42]=File : c:\windows\favorites\links\censored youngest porn.url
obj[43]=File : c:\windows\favorites\links\fresh xxx pics & movie.url
obj[44]=File : c:\windows\favorites\links\XXXing young virginz !!!.url
obj[45]=File : c:\windows\favorites\links\innocent girls brutally XXXed.url
obj[46]=File : c:\windows\favorites\links\little bleepes getting XXX.url
obj[47]=File : c:\windows\favorites\links\virgin girls in action.url
obj[48]=File : c:\windows\favorites\links\young masha XXX obj[49]=File : c:\windows\favorites\links\youngest girls only.url
obj[50]=File : c:\windows\favorites\links\youngest hardcore action.url

POSSIBLE BROWSER HIJACK ATTEMPT

obj[18]=RegData : Software\Microsoft\Internet Explorer
obj[19]=RegData : .Default\Software\Microsoft\Internet Explorer
obj[20]=RegData : Software\Microsoft\Internet Explorer\Search
obj[21]=RegData : .Default\Software\Microsoft\Internet Explorer\Search

TRACKING COOKIE

obj[26]=File : c:\windows\cookies\default@fastclick[1].txt
obj[27]=File : c:\windows\cookies\default@zedo[2].txt
obj[28]=File : c:\windows\cookies\default@zedo[1].txt
obj[29]=File : c:\windows\cookies\[email protected][1].txt
obj[30]=File : c:\windows\cookies\default@centrport[1].txt
obj[31]=File : c:\windows\cookies\default@tribalfusion[1].txt
obj[32]=File : c:\windows\cookies\[email protected][1].txt
obj[33]=File : c:\windows\cookies\default@tribalfusion[2].txt

BC AdBot (Login to Remove)

 


#2 Guest_Plimsol_*

Guest_Plimsol_*

  • Guests
  • OFFLINE
  •  

Posted 19 May 2004 - 03:22 PM

You are infected with a variant of the CoolWebSearch.

Download CWShredder from the below link and unzip it into a directory. Start CWShredder and click on the FIx button to have it remove all CWS infections it finds.

Download CWShredder from:

http://www.merijn.org/files/cwshredder.zip

After you download the program, unzip it into a directory. Make sure all browser windows are closed and double click on the cwshredder.exe to start the program. When the program is loaded click on the "Check for Update" button, and if it finds an new version it will download it. You should then double click on cwshredder.exe again and click on the "FIX" button (not the "Scan only" button) and let it scan your computer.

To get the best results it is recommended that you run it in safe mode. Reboot windows and press F8 at boot/windows startup, usually right after the beep. Then select safe mode.

A tutorial that goes over this process step by step can be found here:

How to remove CoolWebSearch with CoolWeb Shredder

Once that is completed you should follow these steps in order to clean your computer of Malware which can include Viruses, Trojans, Worms, Spyware, Hijackers and Dialers

Step 1:
Download Spybot and Adaware from the following locations and install them. You should run both programs and clean up what it finds. This is to gaurantee that you find the most malware you can installed on your computer.

Before running the scans on both programs, it is mandatory that you update the programs. There are update options in each program when you run them.

Spybot

Ad-aware

If you would like to learn more about how to use these two programs with the proper settings you can read the tutorials below:

AD-AWARE - Using Ad-aware to remove Spyware/Hijackers from Your Computer.

SPYBOT SEARCH AND DESTROY - Using Spybot - Search & Destroy to remove Spyware from Your Computer.



When you scan with both programs, fix everything that it finds.

When you are done with the scan and fixing the items. Please continue with the next step.

Step 2:

It is important that you run Spybot and Adaware before you proceed with this step. Fixing enties with Hijackthis may leave behind unwanted files on your computer if the previous step was not done first.

Create a directory on your hardrive to save HijackThis.exe. A directory like c:\hijackthis. If you do not do this, you will not be able to use the backup/restore features.

Download HijackThis from:

HijackThis

Save this file into the directory you made previously and then run the program. Click on the Scan button and when it is finished click on the Save Log button. A Notepad window will open with the contents of this log. Click on Edit then click on Select all. Then click on Edit and then Click on Copy.

Create a reply to this post, and right click in message area and select paste to paste the log into the post.

Someone will reply to you after reading this post. DO NOT fix any entries unless you understand what you are doing.

To see a tutorial on using HijackThis you can click on the link below:

HijackThis - Using HijackThis to Remove Spyware, Browser Hijackers, and Dialers

#3 idjutt

idjutt
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  

Posted 20 May 2004 - 04:45 PM

:thumbsup: Like I said I'M A NOVICE. I is SO stoopit I'm not even clear on what a 'directory' is. :flowers:

Thank you, ever SO much for the time spent in replying to my dilemna.
When I try to unzip CWS I get THIS CRUD that runs on FOR DAYS. I managed to get a tiny portion to post that didn't crash me browser this time :trumpet:


PK   %50/d9 € ) miniremoval_coolwebsearch_smartkiller.exe}y@g`ԤrAeqEE‚——(4P|4E/{YOzž,†@ ——h‘’‹œ{gfŸ59s=7nIP
‚t‚-gO!B‡>T1ŠŠ2–f…\XfŠ–,sⴐLԴ̐YKW†k:JŸ(S‚ dyv
ea$d0† c-WbjOb…CIitZ!u+„’"…Ft"‹#"ѿŸ]XE›x=„x7ŸE<|‚v!KSS)3]
1™X‹ez64Š1 )^q™XPU}LE)+‚†Œ?(Wge—Uƒqž=SܭižY

And when I try the 'alternate way' I get;

The requested URL could not be retrieved

--------------------------------------------------------------------------------

While trying to retrieve the URL: http://209.133.47.200/%7Emerijn/files/CWShredder.exe

The following error was encountered:

We can not connect to the server you have requested.

This means that:


The server might be busy at this time.
The server is not reachable.


Please try later to see if you can go through.

Thanks for your assistance, once again!

The idjutt.

#4 Grinler

Grinler

    Bleep Bleep!


  • Admin
  • 40,253 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:30 PM

Posted 20 May 2004 - 04:54 PM

Download CWShredder from here:

CWShredder

Save it to your c:\ drive.

On your desktop double click on my computer, then double click on the c: drive.

Double click on CWShredder and click on the fix button.

Then post a new hijackthis log.

Dont worry about your computer expertises...we will get you through this.

#5 idjutt

idjutt
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:04:30 PM

Posted 20 May 2004 - 04:59 PM

:thumbsup:

Oh, and when I download the miniremoval tool into my C:\ CWS folder and try to open it...

IT SAYS IT IS NOT FOUND IN MY SYSTEM! Arggh! :flowers:

Idjutt

#6 Grinler

Grinler

    Bleep Bleep!


  • Admin
  • 40,253 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:30 PM

Posted 20 May 2004 - 05:02 PM

What program did you just run? THe miniremoval tool or the cwshredder tool i just gave you a link to in my previous post?

#7 idjutt

idjutt
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:04:30 PM

Posted 21 May 2004 - 03:24 PM

Here's what it shows before the scan and then tells me my system is clean.


Windows system dir: C:\WINDOWS\system
AppData folder: C:\WINDOWS\Application Data
Username: default

Found Hosts file: C:\WINDOWS\hosts (168 bytes, A)
Found CWS.Control (if filesize is over 50k) file: C:\WINDOWS\control.exe (2144 bytes, A)
CWS.Oslogo (if value is 2) Registry value: Domains: *.coolwebsearch.com [*] dword:4
CWS.Oslogo (if value is 2) Registry value: Domains: *.coolwwwsearch.com [*] dword:4
CWS.Googlems.2 (if value is 2) Registry value: Domains: *.xxxtoolbar.com [*] dword:4
CWS.Googlems.4 (if value is 2) Registry value: Domains: *.teensguru.com [*] dword:4
Registry value: DefaultPrefix (should be http://) [] http://
Registry value: WWW Prefix (should be http://) [www] http://
Registry value: Mosaic Prefix (should be http://) [mosaic] http://
Registry value: Home Prefix (should be http://) [home] http://
Found Win.ini file: C:\WINDOWS\win.ini (8612 bytes, A)
Found line in Win.ini: load=
Found line in Win.ini: run=
Found System.ini file: C:\WINDOWS\system.ini (2313 bytes, A)
Found line in System.ini: shell=Explorer.exe

It sure don't look clean to me.

Thanks to you guys who are helping. Just a new point of interest- IE browser gives me a couple of 'forbidden' messages when I try to get on a couple of sites that I used to go to. Any thoughts? Can I just DUMP IE out of my computer, somehow, and then reload it. I have the discs that came with my computer. Can I DUMP EVERYTHING and start again? Or will the crap still be in the system? Am I just retarded or what?




Logfile of HijackThis v1.97.7
Scan saved at 1:09:39 PM, on 5/21/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\GAME CONTROLLERS\COMMON\SWTRAYV4.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-AWARE.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\SIERRA IMAGING\IMAGE EXPERT 2000\IXAPPLET.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE
C:\PROGRAM FILES\QWICKCONNECT\DIALER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\CWS\CWSHREDDER.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\UNZIPPED\DELCWSSK2\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://drudgereport.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://usseek.net/qwickconnect
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 156.63.20.95:80
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~8\GAMECO~1\COMMON\SWTRAYV4.EXE
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE"
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [Ad-aware] "C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-AWARE.EXE" +c
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [Adaware Bootup] C:\PROGRAM FILES\LAVASOFT AD-AWARE\AD-AWARE.EXE /Auto /Log "C:\PROGRAM FILES\LAVASOFT AD-AWARE\"
O4 - Startup: MICROSOFT OFFICE.LNK = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: MICROSOFT WORKS CALENDAR REMINDERS.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: CAMIO VIEWER 3.2.LNK = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: Dell Home (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.dellnet.com/
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0) -
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://proxify.com/nph-proxy.cgi/111111A/6...22f73772e636162
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/0210315bd9d748f42d04/...ip/RdxIE601.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...s/yinst0401.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8128.4997222222

#8 Grinler

Grinler

    Bleep Bleep!


  • Admin
  • 40,253 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:30 PM

Posted 21 May 2004 - 03:30 PM

Run CWSHredder that you are using version 1.57.0.

This time done click on the scan button, but rather click on the fix button.

#9 idjutt

idjutt
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:04:30 PM

Posted 21 May 2004 - 09:13 PM

:flowers:
I had clicked fix, btw. I just wanted to show what it looked like AFTER I had 'fixed' it.

Here's the NEWEST log after 'fixing'.

Logfile of HijackThis v1.97.7
Scan saved at 6:54:04 PM, on 5/21/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\GAME CONTROLLERS\COMMON\SWTRAYV4.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\SIERRA IMAGING\IMAGE EXPERT 2000\IXAPPLET.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\UNZIPPED\DELCWSSK2\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://drudgereport.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://usseek.net/qwickconnect
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 156.63.20.95:80
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~8\GAMECO~1\COMMON\SWTRAYV4.EXE
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE"
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [Ad-aware] "C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-AWARE.EXE" +c
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [Adaware Bootup] C:\PROGRAM FILES\LAVASOFT AD-AWARE\AD-AWARE.EXE /Auto /Log "C:\PROGRAM FILES\LAVASOFT AD-AWARE\"
O4 - Startup: MICROSOFT OFFICE.LNK = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: MICROSOFT WORKS CALENDAR REMINDERS.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: CAMIO VIEWER 3.2.LNK = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: Dell Home (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.dellnet.com/
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0) -
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://proxify.com/nph-proxy.cgi/111111A/6...22f73772e636162
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/0210315bd9d748f42d04/...ip/RdxIE601.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...s/yinst0401.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8128.4997222222

I SERIOUSLY thank you guys for your assistance!

:thumbsup:

#10 Grinler

Grinler

    Bleep Bleep!


  • Admin
  • 40,253 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:30 PM

Posted 22 May 2004 - 12:20 AM

Looks good to me

Nice job!!!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users