Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Highjack This Log


  • This topic is locked This topic is locked
4 replies to this topic

#1 TQUAD

TQUAD

  • Members
  • 96 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:milwaukee pc. Milwaukee Wisconsin.
  • Local time:01:49 PM

Posted 24 January 2006 - 04:18 AM

Logfile of HijackThis v1.99.1
Scan saved at 3:02:39 AM, on 1/24/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\KMW_RUN.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\KMW_SHOW.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.03.0000.1005\EN-US\MSNAPPAU.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - URLSearchHook: (no name) - {DF7312F5-680D-4215-0F6E-1F01E5DC4CBA} - Shaitan1678.dll (file missing)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%206%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\koookw6d.slt\prefs.js)
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD0.DLL
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-US\MSNTB.DLL
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\PROGRAM FILES\MSN APPS\ST\01.03.0000.1005\EN-XU\STMAIN.DLL
O2 - BHO: IeHelper Class - {A491D208-B353-490F-B81A-A8A3DC97042D} - C:\WINDOWS\SYSTEM\smiehlp.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\PROGRAM FILES\SPYCATCHER 2006\SCACTIVEBLOCK.DLL (file missing)
O2 - BHO: IEHlprObjClass - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\KMOUSE\IE_SPY.DLL (file missing)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-US\MSNTB.DLL
O3 - Toolbar: Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\PROGRAM FILES\HOTBAR\BIN\4.6.1.0\HBHOSTIE.DLL (file missing)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O8 - Extra context menu item: &Copy Location - C:\WINDOWS\WEB\graburl.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Add Bookmark to &SpotOn - res://C:\PROGRAM FILES\SPOTON\SPOTONBH.DLL/#101
O8 - Extra context menu item: SpotOn &AutoTour - res://C:\PROGRAM FILES\SPOTON\SPOTONBH.DLL/#103
O8 - Extra context menu item: SpotOn Add &To Tour - res://C:\PROGRAM FILES\SPOTON\SPOTONBH.DLL/#105
O8 - Extra context menu item: RoboForm &2 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O9 - Extra button: Wallpaper - {c23dd370-cb79-11d2-898a-00c04f80a47f} - C:\PROGRA~1\INTERN~1\Toolbar\toolbar.hta
O9 - Extra 'Tools' menuitem: &Toolbar Wallpaper - {c23dd370-cb79-11d2-898a-00c04f80a47f} - C:\PROGRA~1\INTERN~1\Toolbar\toolbar.hta
O9 - Extra button: Offline - {FC09D8A3-C85A-11d2-92D0-0000F87A4A55} - C:\WINDOWS\SYSTEM\OLINE.DLL
O9 - Extra button: (no name) - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\SYSTEM\WEBZONE.DLL
O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\SYSTEM\WEBZONE.DLL
O9 - Extra button: (no name) - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\SYSTEM\WEBZONE.DLL
O9 - Extra 'Tools' menuitem: Add to R&estricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\SYSTEM\WEBZONE.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {233A9694-667E-11d1-9DFB-006097D5040A} - (no file)
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: ShopperReports - Compare product prices - {E77EDA01-3C56-4a96-8D08-02B42891C169} - C:\PROGRAM FILES\SHOPPERREPORTS\BIN\1.0.4.0\SHPRRPRT.DLL (file missing)
O9 - Extra button: ShopperReports - Compare travel rates - {946B3E9E-E21A-49c8-9F63-900533FAFE14} - C:\PROGRAM FILES\SHOPPERREPORTS\BIN\1.0.4.0\SHPRRPRT.DLL (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai.net/7/224/52/20010419...meInstaller.exe
O16 - DPF: {713AE1D4-897C-11D2-B2A0-00C04F94B4D5} (WUCorpSuppControl Class) - http://corporate.windowsupdate.microsoft.com/en/wucorpct.CAB
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs: Interceptor.dll
[font=Arial Black][size=7]
My problem is that when attempting to go on the internet I'm always connected to a number that asks for money and if I say 'NO' my internet connection is disconnected and from that point on my modem does not work. Again, any help will be greatly appreciated. I just want to defeat the people that highjacked my modem and go back to surfing the web.

Edited by TQUAD, 24 January 2006 - 04:37 AM.


BC AdBot (Login to Remove)

 


#2 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 28 January 2006 - 10:33 AM

Hello and welcome to the forum. You do have some junk that needs to be removed, before I remove it I want to suggest strongly that you contact your Internet Service Provider about this issue. If you are paying them for this service, they should be told about someone else soliciting funds for the same service. Please follow the posted order.

1) Download, update, configure and run these two programs: http://tomcoyote.org/aawsb.php
The newest version of Ad-aware is 1.06 and Spybot 1.04. Even if you have these programs, use the link to get the newest version, update and configure them as in the link. Run Spybot first, reboot then run Ad-aware. Both programs back up what they remove so delete anything the programs say should be removed.

2) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - URLSearchHook: (no name) - {DF7312F5-680D-4215-0F6E-1F01E5DC4CBA} - Shaitan1678.dll (file missing)
(if you know this reason for this Netscape pugin in you can leave it)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%206%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\koookw6d.slt\prefs.js)
(optional removal next one)
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD0.DLL
O2 - BHO: IEHlprObjClass - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\KMOUSE\IE_SPY.DLL (file missing)
O3 - Toolbar: Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\PROGRAM FILES\HOTBAR\BIN\4.6.1.0\HBHOSTIE.DLL (file missing)
O9 - Extra button: (no name) - {233A9694-667E-11d1-9DFB-006097D5040A} - (no file)
(if you don't use the Alexa toolbar, remove the next two resource wasters)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

(look at that other 09 junk. If you see stuff you did not put there, remove it)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

3) Download, update if available and run this free trial of TrojanHunter. Allow it to remove anything it locates and make me aware of the name and pathway of anything it could not.
http://www.softpedia.com/get/Antivirus/TrojanHunter.shtml

4) Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp
Run CCleaner, Windows & Applications when you run the registry cleaner (Issues) you will be prompted to backup before you can remove stuff, make sure you do.

Post a new HJT log along with any information I asked for and any comments you have.

Thanks...pskelley
BleepingComputer

Edited by pskelley, 28 January 2006 - 10:36 AM.

MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#3 TQUAD

TQUAD
  • Topic Starter

  • Members
  • 96 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:milwaukee pc. Milwaukee Wisconsin.
  • Local time:01:49 PM

Posted 29 January 2006 - 11:32 PM

[font=Arial][size=7]
After following the instructions and removing the selected items I ran Trojan Hunter and CCleaner. The newest versions of Spybot and Ad Aware were also run prior to following the given directions. The
computer still fails to detect the modem in normal mode. It lists it as busy or not installed properly. The
only way to gain access to the internet is to go online in the safe mode, although the modem may still not get recignised. When that happens the modem must be reinstalled. In addition, the pc can only visit three or four websites before the next attempt results in 'Page cannot be displayed' appearing. The pc is also now running extremelY slow and to make matters worse, no backups were saved when prompted. As a result of reinstalling and rebooting so many times I'm litterally exhausted. I can't even remember how to post a highjack this log on this site. Someone please remind me so I can return after 12 hours of sleep and post one. Hoefully then I can fihure out what's wrong with this computer.
TQUAD

Edited by TQUAD, 29 January 2006 - 11:40 PM.


#4 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 30 January 2006 - 10:52 AM

Hello and I know what you mean, I have spent some long hours troubleshooting modem issues myself. I was wondering if you followed my advice and asked your Internet Service Provider for help? Here are a links to troubleshoot modem issues:

http://www.google.com/search?hl=en&q=troub...G=Google+Search
http://www.informationweek.com/story/showA...cleID=160500660
http://www.modemhelp.net/index.shtml

I must say I have been wrong before, but I have never heard of malware causing these issues. I did point you to the ISP right in the beginning when you described your issue as someone try to solicite funds. You are now describing altogether new issues. My statement about you having a lot of junk to remove was true as you could see by what I posted in the instructions. If that fixes the modem issue or not, it needed to go. Here is a link that might help:
http://www.microsoft.com/windows/IE/commun...s/IEtopten.mspx

Here are the instructions for posting to your thread, use add reply, do not start a new topic:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

Post a new log and I will be glad to help you make sure you have cleaned out the bad stuff.

Thanks...Phil
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#5 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 06 February 2006 - 07:10 AM

No response in a week to instructions or

Post a new log and I will be glad to help you make sure you have cleaned out the bad stuff.

:thumbsup: Topic is closed.

Thanks...pskelley
BleepingComputer
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users