Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HiJack This log from a friend's laptop


  • This topic is locked This topic is locked
13 replies to this topic

#1 JEservices

JEservices

    helping hand


  • Members
  • 1,700 posts
  • OFFLINE
  •  
  • Location:Texas
  • Local time:08:29 AM

Posted 17 September 2004 - 08:23 PM

I have a friend's laptop-Compac Presario 1255, running WIN 98 w/ 32 MG RAM. He wanted me to clean it up a little bit. There is still alot of work that is needed on it, such as increasing the RAM to 64 or 128, but I wanted to post a HiJack This log, in case there are a few things that I have not picked up. Any additional help would be appreciated. If you will excuse me, I have to uninstall AOL, Prodigy, and defrag the drive...lol

Logfile of HijackThis v1.98.2
Scan saved at 8:01:58 PM, on 9/17/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v5.00 (5.00.2314.1000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\FLCSS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\SA3DSRV.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEAUI.EXE
C:\WINDOWS\SYSTEM\WININIT.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\PROGRAM FILES\SAVENOW\SAVENOW.EXE
C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\AIM.EXE
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\WSCRIPT.EXE
C:\PROGRAM FILES\HP DESKJET 610C SERIES\EREG\REMIND32.EXE
C:\PROGRAM FILES\COMPAQ\ON-SCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\DESKTOP\HIJACK THIS FOLDER\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirec...&s=search&i=enu
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.prodigy.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirec...&s=search&i=enu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirec...&s=search&i=enu
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://drvvv.com/jf-home.phtml
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://drvvv.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://drvvv.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://drvvv.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://drvvv.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.presario.net/scripts/redirec...&query=%s&i=enu
F1 - win.ini: run=hpfsched
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Essdc] essdc.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe /NORESTART
O4 - HKLM\..\Run: [Compaq Internet Setup] C:\Compaq\Internet\InetWizard.exe /RUN
O4 - HKLM\..\Run: [CISrvr Program] C:\COMPAQ\INTERNET\CISRVR.EXE
O4 - HKLM\..\Run: [Aureal A3D Interactive Audio Init] A3dInit.exe
O4 - HKLM\..\Run: [OEMCLEANUP] c:\windows\OPTIONS\oemreset.exe
O4 - HKLM\..\Run: [CPQEASYACC] "C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\Cpqeaui.exe"
O4 - HKLM\..\Run: [bymer.scanner] "c:\windows\system\wininit.exe"
O4 - HKLM\..\Run: [startIE] C:\WINDOWS\NOTEPAD.EXE qazwsx.hsq
O4 - HKLM\..\Run: [SaveNow] C:\Program Files\SaveNow\SaveNow.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Aureal A3D Interactive Audio] sa3dsrv.exe
O4 - HKLM\..\RunServices: [EncMonitor] c:\compaq\access\Encompass\Monitor.exe
O4 - HKLM\..\RunServices: [distributed.net client] "C:\WINDOWS\SYSTEM\dnetc.exe" -hide
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [AOL Instant Messenger ™] C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O4 - HKCU\..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background
O4 - Startup: BackWeb.LNK = C:\CPQS\BackWeb\Program\UserProf.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = ?
O4 - Startup: network.vbs
O4 - Startup: WinZip Quick Pick.lnk = C:\PROGRA~1\WINZIP\wzqkpick.exe
O4 - Startup: Reminder-hpc41003.lnk = C:\Program Files\HP DeskJet 610C Series\ereg\Remind32.exe
O4 - Startup: America Online 5.0 Tray Icon.lnk = C:\WINDOWS\MM2ENT.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mov: C:\Program Files\Netscape\Communicator\Program\PLUGINS\NPQTW32.DLL
O12 - Plugin for .wav: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npaudio.dll
O12 - Plugin for .avi: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npavi32.dll
O12 - Plugin for .aif: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npaudio.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=http://home.microsoft.com/access/allinone.asp
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com


Note: Currently, the computer is NOT online. They only had a dial-up modem, and I need to install a PC card w/ ethernet connections, so that I can share the internet w/ my router.
We are all curious like a cat. We wonder, we ask, we learn.
Please post back when a suggestion works, so that others may learn.

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:29 AM

Posted 17 September 2004 - 11:52 PM

You are infected with a variant of the CoolWebSearch.

Download CWShredder from the below link and unzip it into a directory. Start CWShredder and click on the FIx button to have it remove all CWS infections it finds.

Download CWShredder from one of the following sites:

CWShredder Download Site

After you download the program, unzip it into a directory. Make sure all browser windows are closed and double click on the cwshredder.exe to start the program. When the program is loaded click on the "Check for Update" button, and if it finds an new version it will download it. You should then double click on cwshredder.exe again and click on the "FIX" button (not the "Scan only" button) and let it scan your computer.

To get the best results it is recommended that you run it in safe mode. Reboot windows and press F8 at boot/windows startup, usually right after the beep. Then select safe mode.

A tutorial that goes over this process step by step can be found here:

How to remove CoolWebSearch with CWShredder

Once that is completed you should follow these steps in order to clean your computer of Malware which can include Viruses, Trojans, Worms, Spyware, Hijackers and Dialers

Step 1:
Download Spybot and Adaware from the following locations and install them. You should run both programs and clean up what it finds. This is to gaurantee that you find the most malware you can installed on your computer.

Before running the scans on both programs, it is mandatory that you update the programs. There are update options in each program when you run them.

Spybot

Ad-aware

If you would like to learn more about how to use these two programs with the proper settings you can read the tutorials below:

Using Ad-aware to remove Spyware & Hijackers from Your Computer.

Using Spybot - Search & Destroy to remove Spyware from Your Computer.


When you scan with both programs, fix everything that it finds.

When you are done with the scan and fixing the items. Please continue with the next step.

Step 2:

It is important that you run Spybot and Adaware before you proceed with this step. Fixing enties with Hijackthis may leave behind unwanted files on your computer if the previous step was not done first.

Create a directory on your hardrive to save HijackThis.exe. A directory like c:\hijackthis. If you do not do this, you will not be able to use the backup/restore features.

Download HijackThis from:

HijackThis Download Site

Save this file into the directory you made previously and then run the program. Click on the Scan button and when it is finished click on the Save Log button. A Notepad window will open with the contents of this log. Click on Edit then click on Select all. Then click on Edit and then Click on Copy.

Create a reply to this post, and right click in message area and select paste to paste the log into the post.

Someone will reply to you after reading this post. DO NOT fix any entries unless you understand what you are doing.

To see a tutorial on using HijackThis you can click on the link below:

HijackThis - Using HijackThis to Remove Spyware, Browser Hijackers, and Dialers

#3 JEservices

JEservices

    helping hand

  • Topic Starter

  • Members
  • 1,700 posts
  • OFFLINE
  •  
  • Location:Texas
  • Local time:08:29 AM

Posted 18 September 2004 - 08:57 AM

Thanks Grinler.

I will d/l the needed programs, and post a new log when complete.
We are all curious like a cat. We wonder, we ask, we learn.
Please post back when a suggestion works, so that others may learn.

#4 JEservices

JEservices

    helping hand

  • Topic Starter

  • Members
  • 1,700 posts
  • OFFLINE
  •  
  • Location:Texas
  • Local time:08:29 AM

Posted 19 September 2004 - 11:01 AM

Here is an updated HI Jack log. Everything was ran in normal mode, and again in Safe mode. They was ran once again in regular mode, and the only thing that was found was a DSO exploit. I have not restarted computer again since then. Also, when the Spyware was ran when the computer started up, it took about 2 hours to finish. It is likely because it only has 32 MG RAM, but wanted to mention it, just in case.

Logfile of HijackThis v1.98.2
Scan saved at 9:14:54 AM, on 9/19/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v5.00 (5.00.2314.1000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\FLCSS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\SA3DSRV.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEAUI.EXE
C:\WINDOWS\SYSTEM\WININIT.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\AIM.EXE
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\WSCRIPT.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\HP DESKJET 610C SERIES\EREG\REMIND32.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\COMPAQ\ON-SCREEN DISPLAY\OSD.EXE
C:\WINDOWS\DESKTOP\HIJACK THIS FOLDER\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirec...&s=search&i=enu
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.prodigy.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirec...&s=search&i=enu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirec...&s=search&i=enu
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.presario.net/scripts/redirec...&query=%s&i=enu
F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Essdc] essdc.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe /NORESTART
O4 - HKLM\..\Run: [Compaq Internet Setup] C:\Compaq\Internet\InetWizard.exe /RUN
O4 - HKLM\..\Run: [CISrvr Program] C:\COMPAQ\INTERNET\CISRVR.EXE
O4 - HKLM\..\Run: [Aureal A3D Interactive Audio Init] A3dInit.exe
O4 - HKLM\..\Run: [OEMCLEANUP] c:\windows\OPTIONS\oemreset.exe
O4 - HKLM\..\Run: [CPQEASYACC] "C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\Cpqeaui.exe"
O4 - HKLM\..\Run: [bymer.scanner] "c:\windows\system\wininit.exe"
O4 - HKLM\..\Run: [startIE] C:\WINDOWS\NOTEPAD.EXE qazwsx.hsq
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Aureal A3D Interactive Audio] sa3dsrv.exe
O4 - HKLM\..\RunServices: [EncMonitor] c:\compaq\access\Encompass\Monitor.exe
O4 - HKLM\..\RunServices: [distributed.net client] "C:\WINDOWS\SYSTEM\dnetc.exe" -hide
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [AOL Instant Messenger ™] C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O4 - HKCU\..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = ?
O4 - Startup: network.vbs
O4 - Startup: WinZip Quick Pick.lnk = C:\PROGRA~1\WINZIP\wzqkpick.exe
O4 - Startup: Reminder-hpc41003.lnk = C:\Program Files\HP DeskJet 610C Series\ereg\Remind32.exe
O4 - Startup: America Online 5.0 Tray Icon.lnk = C:\WINDOWS\MM2ENT.EXE
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mov: C:\Program Files\Netscape\Communicator\Program\PLUGINS\NPQTW32.DLL
O12 - Plugin for .wav: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npaudio.dll
O12 - Plugin for .avi: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npavi32.dll
O12 - Plugin for .aif: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npaudio.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=http://home.microsoft.com/access/allinone.asp
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
We are all curious like a cat. We wonder, we ask, we learn.
Please post back when a suggestion works, so that others may learn.

#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:29 AM

Posted 19 September 2004 - 06:54 PM

I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
O4 - HKLM\..\Run: [Essdc] essdc.exe
O4 - HKLM\..\Run: [OEMCLEANUP] c:\windows\OPTIONS\oemreset.exe
O4 - HKLM\..\Run: [bymer.scanner] "c:\windows\system\wininit.exe"
O4 - HKLM\..\Run: [startIE] C:\WINDOWS\NOTEPAD.EXE qazwsx.hsq
O4 - HKLM\..\RunServices: [distributed.net client] "C:\WINDOWS\SYSTEM\dnetc.exe" -hide
O4 - Startup: network.vbs

Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)

essdc.exe <-- Search for and delete this file
c:\windows\system\wininit.exe

Reboot your computer to go back to normal mode and post a new log.

#6 JEservices

JEservices

    helping hand

  • Topic Starter

  • Members
  • 1,700 posts
  • OFFLINE
  •  
  • Location:Texas
  • Local time:08:29 AM

Posted 19 September 2004 - 09:43 PM

Thanks again for the help.

Currently, the laptop is still working on defragging, but I will take your advice when it finishes up.

I wanted to ask you about a few of the entries, to see if they are OK to remove. I asked the owner if they used either Prodogy or AOL, and they said they dont. Is it ok to remove those entrys in the log?

Referring to these:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.prodigy.net/
O4 - HKCU\..\Run: [AOL Instant Messenger ] C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe -cnetwait.odl
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
We are all curious like a cat. We wonder, we ask, we learn.
Please post back when a suggestion works, so that others may learn.

#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:29 AM

Posted 19 September 2004 - 10:06 PM

Fixing any of those entries will not cause any harm. Fixing the R0 will make their start page the default one. The O4 will stop aim from starting automatically and the O14 will change the defaults that IE uses when you use the reset to defaults button on it

#8 JEservices

JEservices

    helping hand

  • Topic Starter

  • Members
  • 1,700 posts
  • OFFLINE
  •  
  • Location:Texas
  • Local time:08:29 AM

Posted 20 September 2004 - 05:48 AM

After it defragging all night, and only reaching 9%, I had to stop it. I couldn't wait until next month for it to finish. I was not able to get any more RAM for it.

-I enabled the hidden files.
-Had HiJack This fix the recommended entries and the ones that referred to AOL and Prodigy.
-Booted into Safe Mode, and deleted the files.
--On this one->c:\windows\system\wininit.exe, it did find this file, but it also found a 2nd file that was in the C:\windows folder. I left that one alone.


Here is the current log:

Logfile of HijackThis v1.98.2
Scan saved at 5:31:26 AM, on 9/20/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v5.00 (5.00.2314.1000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\FLCSS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\SA3DSRV.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEAUI.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\HP DESKJET 610C SERIES\EREG\REMIND32.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\COMPAQ\ON-SCREEN DISPLAY\OSD.EXE
C:\WINDOWS\DESKTOP\MAINT\HIJACK THIS FOLDER\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirec...&s=search&i=enu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirec...&s=search&i=enu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirec...&s=search&i=enu
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.presario.net/scripts/redirec...&query=%s&i=enu
F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe /NORESTART
O4 - HKLM\..\Run: [Compaq Internet Setup] C:\Compaq\Internet\InetWizard.exe /RUN
O4 - HKLM\..\Run: [CISrvr Program] C:\COMPAQ\INTERNET\CISRVR.EXE
O4 - HKLM\..\Run: [Aureal A3D Interactive Audio Init] A3dInit.exe
O4 - HKLM\..\Run: [CPQEASYACC] "C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\Cpqeaui.exe"
O4 - HKLM\..\Run: [ICSDCLT] c:\windows\rundll32.exe c:\windows\SYSTEM\icsdclt.dll,ICSClient
O4 - HKLM\..\Run: [bymer.scanner] "c:\windows\system\wininit.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Aureal A3D Interactive Audio] sa3dsrv.exe
O4 - HKLM\..\RunServices: [EncMonitor] c:\compaq\access\Encompass\Monitor.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] c:\windows\SYSTEM\ssdpsrv.exe
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O4 - HKCU\..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = ?
O4 - Startup: Reminder-hpc41003.lnk = C:\Program Files\HP DeskJet 610C Series\ereg\Remind32.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mov: C:\Program Files\Netscape\Communicator\Program\PLUGINS\NPQTW32.DLL
O12 - Plugin for .wav: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npaudio.dll
O12 - Plugin for .avi: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npavi32.dll
O12 - Plugin for .aif: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npaudio.dll




edited: It looks like it is still there...

O4 - HKLM\..\Run: [bymer.scanner] "c:\windows\system\wininit.exe"

Edited by JEservices, 20 September 2004 - 05:51 AM.

We are all curious like a cat. We wonder, we ask, we learn.
Please post back when a suggestion works, so that others may learn.

#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:29 AM

Posted 20 September 2004 - 10:15 AM

Just fix this one:

O4 - HKLM\..\Run: [bymer.scanner] "c:\windows\system\wininit.exe"

#10 JEservices

JEservices

    helping hand

  • Topic Starter

  • Members
  • 1,700 posts
  • OFFLINE
  •  
  • Location:Texas
  • Local time:08:29 AM

Posted 20 September 2004 - 11:12 AM

I removed that entry, and just for grins, another one showed up. I have not restarted the computer yet.

04-HKLM\..\Run:[StartIE] xt qazwsx.hsq

I know that it an usual filename, because those 6 letters are, in order, from the left hand side of the keyboard.

Should I restart the computer to see if it returns or delete and restart?
We are all curious like a cat. We wonder, we ask, we learn.
Please post back when a suggestion works, so that others may learn.

#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:29 AM

Posted 20 September 2004 - 11:22 AM

FIx that entry as well and reboot. Lets see if the wininit one is back

#12 JEservices

JEservices

    helping hand

  • Topic Starter

  • Members
  • 1,700 posts
  • OFFLINE
  •  
  • Location:Texas
  • Local time:08:29 AM

Posted 21 September 2004 - 08:39 AM

OK I deleted that entry, and restarted the computer. Here is the latest and greatest...

Logfile of HijackThis v1.98.2
Scan saved at 12:13:19 PM, on 9/20/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v5.00 (5.00.2314.1000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\FLCSS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\SA3DSRV.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEAUI.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\HP DESKJET 610C SERIES\EREG\REMIND32.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\COMPAQ\ON-SCREEN DISPLAY\OSD.EXE
C:\WINDOWS\DESKTOP\MAINT\HIJACK THIS FOLDER\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirec...&s=search&i=enu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirec...&s=search&i=enu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirec...&s=search&i=enu
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.presario.net/scripts/redirec...&query=%s&i=enu
F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe /NORESTART
O4 - HKLM\..\Run: [Compaq Internet Setup] C:\Compaq\Internet\InetWizard.exe /RUN
O4 - HKLM\..\Run: [CISrvr Program] C:\COMPAQ\INTERNET\CISRVR.EXE
O4 - HKLM\..\Run: [Aureal A3D Interactive Audio Init] A3dInit.exe
O4 - HKLM\..\Run: [CPQEASYACC] "C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\Cpqeaui.exe"
O4 - HKLM\..\Run: [ICSDCLT] c:\windows\rundll32.exe c:\windows\SYSTEM\icsdclt.dll,ICSClient
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Aureal A3D Interactive Audio] sa3dsrv.exe
O4 - HKLM\..\RunServices: [EncMonitor] c:\compaq\access\Encompass\Monitor.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] c:\windows\SYSTEM\ssdpsrv.exe
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O4 - HKCU\..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = ?
O4 - Startup: Reminder-hpc41003.lnk = C:\Program Files\HP DeskJet 610C Series\ereg\Remind32.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mov: C:\Program Files\Netscape\Communicator\Program\PLUGINS\NPQTW32.DLL
O12 - Plugin for .wav: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npaudio.dll
O12 - Plugin for .avi: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npavi32.dll
O12 - Plugin for .aif: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npaudio.dll
We are all curious like a cat. We wonder, we ask, we learn.
Please post back when a suggestion works, so that others may learn.

#13 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:29 AM

Posted 21 September 2004 - 11:12 AM

Log looks clean...great job!

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point.

    You can find instructions on how to enable and reenable system restore here:

    Managing Windows Millenium System Restore

    or

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Glad I was able to help.

#14 JEservices

JEservices

    helping hand

  • Topic Starter

  • Members
  • 1,700 posts
  • OFFLINE
  •  
  • Location:Texas
  • Local time:08:29 AM

Posted 21 September 2004 - 12:13 PM

Thanks for the help. Now if only I can get defrag to finish in less then a month... :thumbsup:
We are all curious like a cat. We wonder, we ask, we learn.
Please post back when a suggestion works, so that others may learn.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users