Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

my Highjackthis log


  • Please log in to reply
4 replies to this topic

#1 truc182

truc182

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:13 AM

Posted 10 August 2005 - 03:25 PM

Logfile of HijackThis v1.99.1
Scan saved at 1:13:25 PM, on 8/10/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\CREATIVE\AUDIO\PROGRAM\CTMIX32.EXE
C:\WINDOWS\SYSTEM\RSYSSW2D.EXE
C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\WINFIXER 2005\WFX5.EXE
C:\WINDOWS\DESKTOP\STARTUP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://ie.search.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://ie.search.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by telus.netŪ
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <local>
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\PROGRAM FILES\SURFSIDEKICK 3\SSKBHO.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: COMMUNICATOR - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - C:\WINDOWS\SYSTEM\communicator.dll
O2 - BHO: LinkTracker Class - {8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22} - C:\WINDOWS\SYSTEM\QLINK32.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: COMMUNICATOR - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - C:\WINDOWS\SYSTEM\communicator.dll
O4 - HKLM\..\Run: [CreativeMixer] C:\Program Files\Creative\Audio\PROGRAM\CTMIX32.EXE /t
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE
O4 - HKLM\..\Run: [SurfSideKick 3] C:\PROGRAM FILES\SURFSIDEKICK 3\Ssk.exe
O4 - HKLM\..\Run: [SysStart] C:\WINDOWS\SYSTEM\RSYSSW2D.EXE DO0605
O4 - HKLM\..\Run: [WinFixer 2005] C:\Program Files\WinFixer 2005\wfx5.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evae.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [SurfSideKick 3] C:\PROGRAM FILES\SURFSIDEKICK 3\Ssk.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM\rsyssw2d.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O16 - DPF: {C9B08199-657A-468D-A26B-692137572131} (FFHostContainer Class) - http://www.focusfocus.com/download/windows/ffhost.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://208.158.118.13/AxisCamControl.ocx
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/11723ae9fea395...ip/RdxIE601.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by8fd.bay8.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://<a style='text-decoration: none; border-bottom: 3px double;' href="http://www.qklinkserver.com/lm/rtl3.asp?si=92&k=download%20games&st=1" onmouseover="window.status='Search for: download.games'; self.ql_skeyphrase='download%20games'; if(window.event) self.ql_sevent=window.event.srcElement; self.ql_timeout = setTimeout('ql_doMouseOver(1)', 1000); self.ql_isOverLink=true; return true;" onclick="if(self.ql_timeout) clearTimeout(self.ql_timeout); self.ql_isOverTip = false; ql_closeiframe(); self.ql_skeyphrase='download%20games'; window.status='Search for: download.games';return true;" onmouseout="window.status=''; if(self.ql_timeout) clearTimeout(self.ql_timeout); self.ql_isOverTip = false; setTimeout('ql_closeiframe()', 1500); ">download.games</a>.yahoo.com/games/popcap/zuma/popcaploader_v5.cab
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://merlin.telus.net/wizlet/Qualifier/s...flowActiveX.CAB
O18 - Filter: text/html - {DFAA31C8-A356-4313-9D95-5EDAB46C5070} - C:\WINDOWS\SYSTEM\QLINK32.DLL
O19 - User stylesheet: (file missing)

BC AdBot (Login to Remove)

 


#2 dj-sille

dj-sille

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:13 AM

Posted 10 August 2005 - 03:45 PM

i see some things that can be removed but i can't say them here because i have no lincense to do this on te website

#3 truc182

truc182
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:13 AM

Posted 10 August 2005 - 03:50 PM

send me an email then

#4 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,637 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:13 AM

Posted 11 August 2005 - 07:54 PM

send me an email then

That would be a mistake. dj-sille has no "license" to post help because he has just started his training and could make a mistake that we all would regret. Helping by email is also against board policy.

Give me some time and I'll review your log and help you get rid of WinFixer.

The thing about people

is they change

when they walk away.--Mipso


#5 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,637 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:13 AM

Posted 11 August 2005 - 11:29 PM

OK, I see you have no anitvirus running. We should be able to clean some of this up with that and some other automated scanners.

Please do the following:

1. Please choose one of the following free antivirus solutions:

Antivir
Avast Free
AVG Free
Bitdefender Free

Download it but don't run it just yet.

2. Download Spybot and Adaware from the following locations.

Spybot
Ad-aware

Install, configure and update them according to the following tutorials but don't scan yet:

Spybot - S&D Tutorial
Ad-Aware Tutorial

3. Download CWShredder and save it to your Desktop. Don't run it yet. CWShredder Download Link

4. Reboot your computer into Safe Mode. It may be easier with 98 to hold the Ctrl key down jsut as Windows restarts.

5. Install your antivirus and run a full system scan.

Now run CWShredder that you saved to your desktop. Click the Fix button and OK the message box that Internet Explorer and Windows Media Player windows will be closed. Then click Next and finally, Exit.

6. This process will clean out your Temp files and your Temporary Internet Files. Please do both steps:

Step 1:Delete Temp Files
To clean out your temp files, click on Start and then run, and type %temp% and press the ok button.

This should open up the temp directory that your machine uses. Please delete all files that are found there.

Step 2: Delete Temporary Internet Files
Now I want you to open up Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button. This may take quite a while, so do not be alarmed with how long it takes. When it is done, your Temporary Internet Files will now be deleted.

7. Reboot back into safe mode and run Spybot and Adaware. Allow them to delte all they find.

8. Reboot back into normal mode and run at least two of these free online scans:

TrendMicro's HouseCall
Panda ActiveScan
BitDefender

Allow them to clean all they find and delete any files they are unable to clean.

9. Open HijackThis.

If you still have the New Users Quickstart screen enabled, click Open Misc Tools Section.
If you just have the regular opening screen, click the Config... button then the Misc Tools button.

Now click the Open Uninstall Manager button, then the Save List button. Save the list somewhere convenient like My Documents and then the list will open in Notepad. Copy and Paste that list into your next reply to this post.

10. Scan again with HijackThis and post a new log and we'll deal with what reamains. Also please post the Uninstall Manager log and the logs from the online scanners.

The thing about people

is they change

when they walk away.--Mipso





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users