Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Plz help me


  • This topic is locked This topic is locked
3 replies to this topic

#1 Kush

Kush

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 05 June 2004 - 09:54 AM

Hi, I was wondering if someone could help me with my hijackthis log...

Logfile of HijackThis v1.97.7
Scan saved at 16:53:38, on 05.06.04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAMFILER\NORTON INTERNET SECURITY FAMILY EDITION\NISSERV.EXE
C:\PROGRAMFILER\NORTON INTERNET SECURITY FAMILY EDITION\IAMAPP.EXE
C:\PROGRAMFILER\NORTON INTERNET SECURITY FAMILY EDITION\NISUM.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\PELMICED.EXE
C:\IBMTOOLS\APTEZBTN\APTEZBP.EXE
C:\NORMAN\WIN95\CLAW95.EXE
C:\PROGRAMFILER\TELENOR INTERNETT\TELENOR INTERNETT ADSL\APP\ENTERNET.EXE
C:\PROGRAMFILER\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\CFGSAFE\AUTOCHK.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAMFILER\FELLESFILER\CMEII\CMESYS.EXE
C:\PROGRAMFILER\AIMBASE1\WAIT BAIT.EXE
C:\WINDOWS\TEMP\FSG_TMP\GINST_001_1234_4201.EXE
C:\WINDOWS\WT\UPDATER\WCMDMGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAMFILER\FELLESFILER\GMT\GMT.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAMFILER\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAMFILER\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAMFILER\FELLESFILER\REAL\UPDATE_OB\REALSCHED.EXE
D:\FRODE\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://look-today.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://look-today.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://look-today.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://look-today.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://look-today.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://look-today.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {5ED2D561-B074-11D8-ABF8-00E052C3B210} - C:\WINDOWS\SYSTEM\HOFOJB.DLL
O2 - BHO: (no name) - {B672200B-2470-360C-46DF-66C7F7E25E1E} - C:\PROGRAMFILER\SETTINGSBOWSEACH\ACTIVEDOWNLOAD.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Meal Memo - {FF793071-457D-5DD5-4C57-5FC353DB45F2} - C:\PROGRAMFILER\SETTINGSBOWSEACH\ACTIVEDOWNLOAD.DLL
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\Run: [AEZBProc] c:\ibmtools\aptezbtn\aptezbp.exe
O4 - HKLM\..\Run: [Set Drive Letter to G:] C:\WINDOWS\GDRIVE.EXE -N
O4 - HKLM\..\Run: [Cat's Claw] C:\NORMAN\WIN95\Claw95.exe
O4 - HKLM\..\Run: [$EnterNet] C:\PROGRAMFILER\TELENOR INTERNETT\TELENOR INTERNETT ADSL\APP\EnterNet.exe -AutoStart
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] c:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE c:\windows\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [BDMCon] C:\Programfiler\BullGuard\\bdmcon.exe
O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\AUTOCHK.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [CMESys] "C:\PROGRAMFILER\FELLESFILER\CMEII\CMESYS.EXE"
O4 - HKLM\..\Run: [WinLoader] dmdtms.exe
O4 - HKLM\..\Run: [HtmSupport] C:\PROGRA~1\AIMBASE1\Wait bait.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [Trickler] "c:\windows\temp\fsg_tmp\ginst_001_1234_4201.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [WinLoader] dmdtms.exe
O4 - HKCU\..\Run: [Csps] C:\WINDOWS\Profiles\sirih-sa@online.no\Application Data\scao.exe
O4 - Startup: GStartup.lnk = C:\Programfiler\Fellesfiler\GMT\GMT.exe
O4 - User Startup: GStartup.lnk = C:\Programfiler\Fellesfiler\GMT\GMT.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {127698E4-E730-4E5C-A2B1-21490A70C8A1} (CEnroll Class) - https://www.skandiabanken.no/CertControl/x86/xenroll.dll
O16 - DPF: DnB-Betaling - http://www16.dnb.no/nettbank/bf.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://utu.popcap.com/games/popcaploader_v5.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8137.0073842593

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,614 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:57 AM

Posted 05 June 2004 - 12:18 PM

I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please put a checkmark in the box for each of these entries, close all other windows, and click the fix button:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://look-today.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://look-today.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://look-today.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://look-today.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://look-today.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://look-today.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {5ED2D561-B074-11D8-ABF8-00E052C3B210} - C:\WINDOWS\SYSTEM\HOFOJB.DLL
O2 - BHO: (no name) - {B672200B-2470-360C-46DF-66C7F7E25E1E} - C:\PROGRAMFILER\SETTINGSBOWSEACH\ACTIVEDOWNLOAD.DLL
O3 - Toolbar: Meal Memo - {FF793071-457D-5DD5-4C57-5FC353DB45F2} - C:\PROGRAMFILER\SETTINGSBOWSEACH\ACTIVEDOWNLOAD.DLL
O4 - HKLM\..\Run: [Cat's Claw] C:\NORMAN\WIN95\Claw95.exe
O4 - HKLM\..\Run: [BDMCon] C:\Programfiler\BullGuard\\bdmcon.exe
O4 - HKLM\..\Run: [CMESys] "C:\PROGRAMFILER\FELLESFILER\CMEII\CMESYS.EXE"
O4 - HKLM\..\Run: [WinLoader] dmdtms.exe
O4 - HKLM\..\Run: [HtmSupport] C:\PROGRA~1\AIMBASE1\Wait bait.exe
O4 - HKLM\..\Run: [Trickler] "c:\windows\temp\fsg_tmp\ginst_001_1234_4201.exe"
O4 - HKLM\..\RunServices: [WinLoader] dmdtms.exe
O4 - HKCU\..\Run: [Csps] C:\WINDOWS\Profiles\sirih-sa@online.no\Application Data\scao.exe
O4 - Startup: GStartup.lnk = C:\Programfiler\Fellesfiler\GMT\GMT.exe
O4 - User Startup: GStartup.lnk = C:\Programfiler\Fellesfiler\GMT\GMT.exe
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab

Reboot your computer into Safe Mode.

Then delete these files or directories
C:\WINDOWS\SYSTEM\HOFOJB.DLL
C:\PROGRAMFILER\SETTINGSBOWSEACH\
C:\NORMAN\WIN95\Claw95.ex
C:\Programfiler\BullGuard\\bdmcon.exe
C:\PROGRAMFILER\FELLESFILER\CMEII\
C:\PROGRA~1\AIMBASE1\Wait bait.exe
c:\windows\temp\fsg_tmp\ginst_001_1234_4201.exe
C:\WINDOWS\Profiles\sirih-sa@online.no\Application Data\scao.exe
C:\Programfiler\Fellesfiler\GMT\
c:\windows\dmdtms.exe or c:\windows\system\dmdtms.exe

Reboot your computer to go back to normal mode and post a new log.

#3 Kush

Kush
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 06 June 2004 - 08:39 AM

Here is a updated log:

Logfile of HijackThis v1.97.7
Scan saved at 15:37:50, on 06.06.04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAMFILER\NORTON INTERNET SECURITY FAMILY EDITION\NISSERV.EXE
C:\PROGRAMFILER\NORTON INTERNET SECURITY FAMILY EDITION\IAMAPP.EXE
C:\PROGRAMFILER\NORTON INTERNET SECURITY FAMILY EDITION\NISUM.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\PELMICED.EXE
C:\IBMTOOLS\APTEZBTN\APTEZBP.EXE
C:\PROGRAMFILER\TELENOR INTERNETT\TELENOR INTERNETT ADSL\APP\ENTERNET.EXE
C:\PROGRAMFILER\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\CFGSAFE\AUTOCHK.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAMFILER\FELLESFILER\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\WT\UPDATER\WCMDMGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
D:\FRODE\HIJACKTHIS\HIJACKTHIS.EXE

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMFILER\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\Run: [AEZBProc] c:\ibmtools\aptezbtn\aptezbp.exe
O4 - HKLM\..\Run: [Set Drive Letter to G:] C:\WINDOWS\GDRIVE.EXE -N
O4 - HKLM\..\Run: [$EnterNet] C:\PROGRAMFILER\TELENOR INTERNETT\TELENOR INTERNETT ADSL\APP\EnterNet.exe -AutoStart
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] c:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE c:\windows\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\AUTOCHK.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {127698E4-E730-4E5C-A2B1-21490A70C8A1} (CEnroll Class) - https://www.skandiabanken.no/CertControl/x86/xenroll.dll
O16 - DPF: DnB-Betaling - http://www16.dnb.no/nettbank/bf.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://utu.popcap.com/games/popcaploader_v5.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8137.0073842593

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,614 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:57 AM

Posted 06 June 2004 - 10:56 AM

That looks great. Nice clean log.

If you choose, there is an option entry you can remove:

O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch

This is for wildtangent and may cause a problem using their games. It is totally up to you to remove that.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users