Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack this log


  • This topic is locked This topic is locked
1 reply to this topic

#1 TomJacobs

TomJacobs

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:56 AM

Posted 26 October 2004 - 12:54 PM

Problem. I use AOL as a internet browser. Both on line and off line I believe internet explorer trys to load and excute a web site. This is continous every 3-5 minutes. I have tried to to delete in Hijack the R0 and R1 enteries in the log. These entries will not delete. What can I do to to eliminate the auto load of Exployer. thanks tom

Logfile of HijackThis v1.98.0
Scan saved at 7:50:57 PM, on 10/20/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\E_S10IC2.EXE
C:\WINDOWS\SYSTEM\LOADING.EXE
C:\WINDOWS\SYSTEM\SYSTIME.EXE
C:\PROGRAM FILES\WINAD CLIENT\WINAD.EXE
C:\WINDOWS\SYSTEM\3CMLNKW.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\WINDOWS\SYSTEM\SYSTIME.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0G\AOLTRAY.EXE
C:\PROGRAM FILES\WINAD CLIENT\WINCLT.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
C:\WINDOWS\MSAGENT\AGENTSVR.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O4 - HKLM\..\Run: [EPSON Stylus Photo 960] C:\WINDOWS\SYSTEM\E_S10IC2.EXE /P22 "EPSON Stylus Photo 960" /O5 "LPT1:" /M "Stylus Photo 960"
O4 - HKLM\..\Run: [Windows Shell Library Loader] loading shell32.dll /c /set
O4 - HKLM\..\Run: [SysTime] C:\WINDOWS\SYSTEM\systime.exe
O4 - HKLM\..\Run: [Winad Client] C:\PROGRAM FILES\WINAD CLIENT\WINAD.EXE
O4 - HKLM\..\Run: [3Cmlink] c:\windows\SYSTEM\3cmlnkW.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - HKCU\..\Run: [SysTime] C:\WINDOWS\SYSTEM\systime.exe
O4 - Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0g\aoltray.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O18 - Filter: text/plain - {11307D65-1ED8-11D9-8369-44459FB3E2E0} - C:\WINDOWS\SYSTEM\FDLBCAA.DLL
O18 - Filter: text/html - {11307D65-1ED8-11D9-8369-44459FB3E2E0} - C:\WINDOWS\SYSTEM\FDLBCAA.DLL

BC AdBot (Login to Remove)

 


#2 Nirvana

Nirvana

    In Utero


  • Members
  • 218 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 26 October 2004 - 01:36 PM

Hi Tom,

You have a CoolWebSearch infection. Download and run
CWShredder
Click Fix, don't just scan. Let it fix everything it asks about.

Restart HijackThis and put checks next to the following, close all browser windows (including this one) then click on 'Fix Checked':

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php

O4 - HKLM\..\Run: [Windows Shell Library Loader] loading shell32.dll /c /set
O4 - HKLM\..\Run: [SysTime] C:\WINDOWS\SYSTEM\systime.exe
O4 - HKLM\..\Run: [Winad Client] C:\PROGRAM FILES\WINAD CLIENT\WINAD.EXE

O4 - HKCU\..\Run: [SysTime] C:\WINDOWS\SYSTEM\systime.exe

O18 - Filter: text/plain - {11307D65-1ED8-11D9-8369-44459FB3E2E0} - C:\WINDOWS\SYSTEM\FDLBCAA.DLL
O18 - Filter: text/html - {11307D65-1ED8-11D9-8369-44459FB3E2E0} - C:\WINDOWS\SYSTEM\FDLBCAA.DLL

Still in HijackThis Click on Config then click on Misc Tools. At the new screen click on the "Delete a file on reboot" button. You will be presented with a dialog asking you to pick a file. Copy and paste C:\WINDOWS\systime.exe into the file name field and press the open button.
Hijackthis will prompt you to reboot, do so then post another HijackThis log.
"Computers are useless. They can only give you answers." <span style='color:red'>Pablo Picasso</span>




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users