Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

hijack this log file. help please


  • Please log in to reply
2 replies to this topic

#1 pluka

pluka

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 28 April 2005 - 06:35 AM

I have this big problem that i should solve quickly because it is the office computer. i m working on windows 98. i tried to remove slotchbar from the registry and i removed something important and now i can open microsoft outlook and the list in my add/remove program has disappeared. i also can t open microsoft word. i m in a mess and my boss doesn t know yet. i also keep having thse pop ups, google is helpless towards this search bar, it doesn t search anything. luckily i found your site and i followed the instructions that a nice person here gave and i installed hijack this and this is the " rotten" log file'
Spy sweeper found 2 of those trogans but it kept getting blocked at registry scan, i was obliged to stop the scan each time without deletind them. spybot didn t find anything.
Thanks alot.
i coudn t open the forum named spyware malware. i have the impression it is closed closed.


Logfile of HijackThis v1.99.1
Scan saved at 01:05:30 ă, on 28/04/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\MEDIA95\VI_GRM.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\USB PRODUCT DRIVER V2.15R004\SHWICON.EXE
C:\PROGRAM FILES\INVESTORINTELLIGENCE\INVESTORINTELLIGENCE.EXE
C:\MSSQL7\BINN\SQLMANGR.EXE
C:\PROGRAM FILES\AOL 7.0\AOLTRAY.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\NIKON\NKVIEW6\NKVMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\DSPGSE.EXE
C:\WINDOWS\CALC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\AUTOUPDATE\AUTOUPDATE.EXE
C:\WINDOWS\SYSTEM\DHC_CI.EXE
C:\WINDOWS\SYSTEM\HTM3216.EXE
C:\PROGRAM FILES\CXTPLS\CXTPLS.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPC32.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\BUREAU\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://moneycentral.msn.com/investor/home.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://moneycentral.msn.com/investor/home.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F1 - win.ini: load=C:\MEDIA95\vi_grm.exe
O1 - Hosts: 69.50.166.11 www.google.com
O1 - Hosts: 69.50.166.11 google.com
O1 - Hosts: 69.50.166.11 www.google.co.uk
O1 - Hosts: 69.50.166.11 google.co.uk
O1 - Hosts: 69.50.166.11 www.google.ca
O1 - Hosts: 69.50.166.11 google.ca
O1 - Hosts: 69.50.166.11 www.google.es
O1 - Hosts: 69.50.166.11 google.es
O1 - Hosts: 69.50.166.11 www.google.de
O1 - Hosts: 69.50.166.11 google.de
O1 - Hosts: 69.50.166.11 www.google.fr
O1 - Hosts: 69.50.166.11 google.fr
O1 - Hosts: 69.50.166.11 www.google.com.au
O1 - Hosts: 69.50.166.11 google.com.au
O1 - Hosts: 69.50.166.14 www.yahoo.com
O1 - Hosts: 69.50.166.14 yahoo.com
O1 - Hosts: 66.218.75.184 mail.yahoo.com
O1 - Hosts: 69.50.166.12 www.go.com
O1 - Hosts: 69.50.166.12 go.com
O1 - Hosts: 69.50.166.13 astalavista.com
O1 - Hosts: 69.50.166.13 www.astalavista.com
O1 - Hosts: 69.50.166.13 astalavista.box.sk
O1 - Hosts: 69.50.166.13 cracks.am
O3 - Toolbar: AZE Search - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\vptray.exe
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [ShowIcon_Samsung_USB Product Driver v2.15r004] "C:\Program Files\USB Product Driver v2.15r004\shwicon.exe" -t"Samsung\USB Product Driver v2.15r004"
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [dspgse] c:\windows\system\dspgse.exe
O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [q79S37R] HTM3216.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~2\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~2\defwatch.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [InvestorIntelligence] C:\PROGRAM FILES\INVESTORINTELLIGENCE\InvestorIntelligence.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [bwq2RXdmO] DHC_CI.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
O4 - Startup: Icône AOL.lnk = C:\Program Files\AOL 7.0\aoltray.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {7160FB1B-3DE0-4C42-81F0-41B4269990B0} (MSN Money Ticker) - http://fdl.msn.com/public/investor/v12/ticker.cab
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/public/investor/v13/ticker.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - http://www.schaeffersresearch.com/download/CfxIEAx.cab
O16 - DPF: {24BACF02-5676-11D3-B8DE-00105A17A9E6} (ChartFX Internet Financial Client 4.0) - http://www.schaeffersresearch.com/Download/Cfx4Financial.cab
O16 - DPF: {00C0A1F2-D492-4DBA-A8E2-76CB1B791723} (TNPLDownloader Control) - http://www.empiresecure.net/tnpl_onefn/cli...LDownloader.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...up1.0.0.8-2.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} (CParamWr Class) - http://www.azebar.com/install/azesearch.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc4.webresponse.one.microsoft.com/...p/TLIEFlash.CAB
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_cracks.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = wanadoo.fr
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 193.252.19.3,193.252.19.4
O18 - Protocol: copernicdesktopsearch - {D9656C75-5090-45C3-B27E-436FBC7ACFA7} - C:\PROGRA~1\COPERN~1\COPERN~2.DLL

BC AdBot (Login to Remove)

 


m

#2 Rimmer

Rimmer

  • Members
  • 2,159 posts
  • OFFLINE
  •  
  • Location:near Sydney, Australia
  • Local time:04:47 AM

Posted 28 April 2005 - 07:20 AM

Your system is infected with malware. You need to do the following:
Installing HijackThis.
  • Create a new folder, under the C: drive, called "hjt". If it already exists delete any files that may be in it. If you have a shortcut to HijackThis on the desktop, delete it.
  • Download the latest version of HijackThis from the following link:
    HijackThis Download Site
    In the 'Save To:' box type "c:\hjt"
  • Unzip HijackThis to the folder you created:
    Navigate to the hjt folder and double click on the HijackThis.zip file. For WindowsXP in the left hand column click 'Extract all Files' the Extraction Wizard will pop up. Click Next, then Browse. Select the HJT folder you created, then click OK. OR If you have WinZip installed you answer 'Agree' and a window will open showing you HijackThis.exe inside the zip file. Click the 'Extract' icon. An extract window will open. In the 'Folders/Drives' section select the C: drive and then the 'hjt' folder. In the "Extract to:" pane it should show "c:\hjt". Select the "All files" button and tick "Overwrite existing files" then click the "Extract" button on the right. Close Winzip.
    You should now have HijackThis.exe in your hjt folder.
It is important to have HJT in its own folder. Run the scan again and post the new log in the HJT Forum. Please also read the HJT forum rules as following them will get you the quickest response.

Soltek QBIC, Pentium 4 3.0GHz, 512MB RAM, 200GB SATA HDD, ATI Radeon 9600XT 256MB, Netgear 54Mb/s WAP, ridiculously expensive Satellite Broadband
Windows XP Home SP2, Trend Micro Internet Security, Firefox, Thunderbird, AdAwareSE, Spybot S&D, SpywareBlaster, A-squared Free, Ewido Security Suite.

#3 pluka

pluka
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 28 April 2005 - 08:09 AM

thanks a lot, i m going to follow your advice .




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users