Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Log - Hillbilly


  • Please log in to reply
2 replies to this topic

#1 Hillbilly

Hillbilly

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:38 PM

Posted 02 July 2005 - 01:25 PM

A friend bought me her computer saying she was having problems getting connected to the internet, shes not at all computer savvy. I am not surprised as it is eat the heck up with spyware. She doesnt have the restore discs for the pc either so I am simply trying to salvage what she has right now. I burned a copy of Adaware from my pc, installed it and eventually had to reboot in safe mode to run it. Adaware has removed over 1200 things so far and each time I run it there is more. As a preventative measure I installed ZoneAlarm to keep the programs from accessing the net while I post the HJT log here.

Help please!!

Logfile of HijackThis v1.99.1
Scan saved at 2:13:14 PM, on 7/2/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\DEVGULP.EXE
C:\CPQS\BWTOOLS\SCCENTER.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\WINDOWS\SYSTEM\HPZTSB03.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\ELITEULK32.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\MPRDMAIL.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\BULLSEYE NETWORK\BIN\BARGAINS.EXE
C:\PROGRAM FILES\NAVISEARCH\BIN\NLS.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER BASIC\PSBASIC.EXE
C:\PROGRAM FILES\SF\SF.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\INTUIT\QUICKBOOKS\COMPONENTS\QBAGENT\QBDAGENT2001.EXE
C:\WINDOWS\SYSTEM\MRTMNGR.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\AOL COMPANION\COMPANION.EXE
C:\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redire...onsumer&LC=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redire...onsumer&LC=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://desktop.presario.net/scripts/redire...onsumer&LC=0409
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {6EC12017-A5C5-414B-82D8-4C8C10A23A34} - C:\PROGRAM FILES\TD6K2J61\TD6K2J61.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\SYSTEM\MSBE.DLL
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\SYSTEM\NVMS.DLL
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\CFGMGR52.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [Digital Dashboard] C:\Program Files\Compaq\Digital Dashboard\DevGulp.exe
O4 - HKLM\..\Run: [Service Connection] c:\cpqs\bwtools\sccenter.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb03.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [TD6K2J61] \Progra~1\TD6K2J61\TD6K2J61.exe
O4 - HKLM\..\Run: [checkrun] C:\WINDOWS\SYSTEM\ELITEULK32.EXE
O4 - HKLM\..\Run: [r83R36X] MPRDMAIL.EXE
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\CFGMGR52.DLL,DllRun
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\SYSTEM\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\SYSTEM\wintask.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [PopUpStopperBasic] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER BASIC\PSBASIC.EXE"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [azs5RWbmQ] MAGLP30T.EXE
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Compaq Knowledge Center.lnk = C:\Program Files\Compaq Knowledge Center\bin\silent.exe
O4 - Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Startup: America Online 5.0 Tray Icon.lnk = C:\America Online 5.0\aoltray.exe
O4 - Startup: Wal-Mart Connect Tray Icon.lnk = C:\wmconnect\wmtray.exe
O4 - Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks\Components\QBAgent\qbdagent2001.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV Live - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=3c00&LC=0409 (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .swf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npswf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net

As usual, thank you in advance for any assistance you give me!

BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 03 July 2005 - 01:14 PM

:thumbsup: Howdy there Mr. Hillbilly and Welcome to the Bleeping Computer!! :flowers:

Thats quite a mess and I am assuming there is no Internet Connection amongst the missing functions!

Fortuantly I only need you to get 2 program since you have HijackThis Installed allready!

Download "The Hoster" from here
http://www.funkytoad.com/download/hoster.zip

Download LQfix.zip to a Floppy or CD
http://users.pandora.be/bluepatchy/LQfix.zip

Fire the PC up in Safe Mode

Configure Windows to Show All Hidden Files and Folders
http://www.bleepingcomputer.com/forums/ind...torial=62#winme

Open the Hoster and Press "Restore Original Hosts" then press "OK".

Exit Program.

Unload LQfix.zip to the PCs Desktop>> "Unzip" and "Extract All"

From the New LQfix Folder>> Doubleclick LQfix.bat that you saved on your desktop before.

A doswindow will open and close again, this is normal.

Go to Add\remove Programs and Remove these

BULLSEYE NETWORK
NAVISEARCH
Weatherbug


Locate and Delete the following

C:\WINDOWS\SYSTEM\exp.exe<< File!

C:\WINDOWS\CFGMGR52.DLL<< File!

C:\WINDOWS\SYSTEM\MSBE.DLL<< File!

C:\WINDOWS\SYSTEM\AUNPS2.DLL<< File!

C:\WINDOWS\SYSTEM\NVMS.DLL<< File!

C:\WINDOWS\SYSTEM\wintask.exe<< File!

C:\WINDOWS\SYSTEM\ELITEULK32.EXE<< File!

C:\WINDOWS\SYSTEM\MPRDMAIL.EXE<< File!

C:\WINDOWS\SYSTEM\MAGLP30T.EXE<< File!

C:\PROGRAM FILES\BULLSEYE NETWORK<< Folder!

C:\PROGRAM FILES\AWS<< Folder!

C:\PROGRAM FILES\NAVISEARCH<< Folder!

C:\PROGRAM FILES\SF<< Folder!

C:\PROGRAM FILES\TD6K2J61<< Folder!

Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://desktop.presario.net/scripts/redire...onsumer&LC=0409

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {6EC12017-A5C5-414B-82D8-4C8C10A23A34} - C:\PROGRAM FILES\TD6K2J61\TD6K2J61.dll

O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\SYSTEM\MSBE.DLL

O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\SYSTEM\NVMS.DLL

O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\CFGMGR52.DLL

O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16

O4 - HKLM\..\Run: [TD6K2J61] \Progra~1\TD6K2J61\TD6K2J61.exe

O4 - HKLM\..\Run: [checkrun] C:\WINDOWS\SYSTEM\ELITEULK32.EXE

O4 - HKLM\..\Run: [r83R36X] MPRDMAIL.EXE

O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\CFGMGR52.DLL,DllRun

O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe

O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe

O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\SYSTEM\exp.exe

O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\SYSTEM\wintask.exe

O4 - HKCU\..\Run: [azs5RWbmQ] MAGLP30T.EXE

O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!

Unregister these DLLs,to do this:

Click Start>>>Click Run>>>Copy&Paste the Text below into the Text Box and Click OK!

regsvr32 /u CFGMGR52.DLL
If you get an error message,try it like this:
regsvr32 /u C:\WINDOWS\CFGMGR52.DLL

Do the same for these:

regsvr32 /u MSBE.DLL
or
regsvr32 /u C:\WINDOWS\SYSTEM\MSBE.DLL

regsvr32 /u AUNPS2.DLL
or
regsvr32 /u C:\WINDOWS\SYSTEM\AUNPS2.DLL

regsvr32 /u NVMS.DLL
or
regsvr32 /u C:\WINDOWS\SYSTEM\NVMS.DLL

Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!

Under the "Startup" Tab
Make Sure every box is Checked!!

Click Apply>>Close>>Click Exit Without Restarting!!

If you run across a file that wouldnt delete!

Open HijackThis and Click Config>> Misc Tools>> Delete a file on Reboot

When the small Explorer Window Opens,Navigate to the folder the file is located in and locate the file and double click!

If there is more than one file to delete the way,Click No to the Next Prompt and when you get to the last entry Click Yes to Reboot!

Restart the PC into Normal Mode and Try to Get it Connected to the Internet Now!

If you establish a Internet Connection>> Confirm you are using Ad Aware 1.06 and use the link below to Configure and Update it
http://www.bleepingcomputer.com/forums/ind...showtutorial=48

Scan with Ad Aware>>Remove all it finds and Delete all Quaratine Files!

If Internet Connection was established have the PC Scanned Here
Panda Active Scan

You will need to be using Internet Explorer for the Scan to work!

Save the Report it generates!

Post back with a fresh HijackThis log and a report from Panda if available!

Edited by Cretemonster, 03 July 2005 - 01:15 PM.


#3 Hillbilly

Hillbilly
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  

Posted 03 August 2005 - 08:30 PM

Cretemonster, Sorry it has taken me so long to reply, however I lucked out and she found the discs to the PC so I was able to do a restore to factory new and fix it. Thank you for your assistance, much appreciated!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users