Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

t.swapx.cc problem


  • Please log in to reply
7 replies to this topic

#1 messed_up

messed_up

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:10 AM

Posted 30 November 2004 - 07:02 PM

stupid window always opens to t.swapx.cc and adds porn to favourites...

so... this is a huge problem for me. and quite sadly i'm the most computer savvy in our household and that's not saying much. any help would be deeply appreciated.

Logfile of HijackThis v1.98.2
Scan saved at 8:00:33 PM, on 11/30/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\OFFICE51\SOINTGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ICHOOSE\NAG.EXE
C:\PROGRAM FILES\ESOFT\EBOARD\EBOARD.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\MSMGT.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\31237.EXE
C:\PROGRAM FILES\COMMON FILES\CMEII\CMESYS.EXE
C:\WINDOWS\SYSTEM\WXTVVK.EXE
C:\PROGRAM FILES\COMMON FILES\UPDMGR\UPDMGR.EXE
C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE
C:\PROGRAM FILES\ALTNET\POINTS MANAGER\POINTS MANAGER.EXE
C:\WINDOWS\SYSTEM\ZEBP8GF9GLB3YPTHD.EXE
C:\PROGRAM FILES\ISTSVC\ISTSVC.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\B0KC9XNR95ZED.EXE
C:\PROGRAM FILES\COMMON FILES\GMT\GMT.EXE
C:\PROGRAM FILES\EWARE\IWARE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ALTNET\DOWNLOAD MANAGER\ASM.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/5/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.e4me.com/start.html
R3 - URLSearchHook: (no name) - _{0199DF25-9820-4bd5-9FEE-5A765AB4371E} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] systray.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ATIGART] c:\ati\gart\atigart.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\OFFICE51\SOINTGR.EXE
O4 - HKLM\..\Run: [iCn] C:\PROGRAM FILES\ICHOOSE\NAG.EXE
O4 - HKLM\..\Run: [eMachine eBoard] C:\PROGRA~1\ESOFT\EBOARD\eBoard.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [MSMGT] C:\WINDOWS\MSMGT.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [31237.exe] 31237.exe
O4 - HKLM\..\Run: [CMESys] "C:\PROGRAM FILES\COMMON FILES\CMEII\CMESYS.EXE"
O4 - HKLM\..\Run: [ysccdtmhmjv] C:\WINDOWS\SYSTEM\wxtvvk.exe
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [CONSCORR] C:\WINDOWS\CONSCORR.exe
O4 - HKLM\..\Run: [P2P NETWORKING] C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE /AUTOSTART
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [satmat] C:\WINDOWS\SATMAT.exe
O4 - HKLM\..\Run: [Control handler] C:\WINDOWS\SYSTEM\ZEBP8GF9GLB3YPTHD.EXE
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SO5 Integrator Pass One] C:\OFFICE51\SOINTGR.EXE
O4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [romahere3] C:\WINDOWS\SYSTEM\B0KC9XNR95ZED.EXE
O4 - Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Startup: eWare Startup.lnk = C:\Program Files\eWare\iWareStart.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partner...kII/install.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = nb.aibn.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 198.164.30.2,198.164.4.2


thanks again!

BC AdBot (Login to Remove)

 


#2 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:01:10 AM

Posted 01 December 2004 - 05:35 AM

Hi

REBOOT into SafeMode by tapping F8 key repeatedly at bootup: Starting your computer in Safe mode

Unistall from Add\Remove Programs:
Speedblaster
TV T-Media Display


REBOOT normally.

Unistall from Add\Remove Programs:
KeenValue
IST Bar


You are using Kazaa. This is not technically malware by itself, but it installs malware in order to run properly and it opens the door for every other nasty program you can think of. I strongly recommend that you remove it. Read this article for alternatives that will provide some of the same function without the garbage: http://www.spywareinfo.com/articles/p2p/ If you opt to remove it, first use Add/Remove Program to remove it and any reference to Altnet and P2P Networking. Go to your control panel, then to add/remove programs...uninstall P2P networking...If/when asked whether you also want to remove Altnet components, say 'Yes'.
P2P Networking is a totally useless Kazaa add-on, and it's been reported to be responsible for serious system slowdowns.

You have Wild Tangent installed. Wild Tangent collects information about you and your usage. The advertisements may also contain pornographic or other material that you might find inappropriate. You can follow these instructions to uninstall it: No. 8 - Uninstallation .

Download CWShredder: Download here. Don't use it yet.

Download Ad-aware SE 1.05: here
Install it. When you get the last screen, with the "Finish" button and 3 options, uncheck those three items.
Open AdAware and click the "Check for updates now" link. Close AdAware. Don't use it yet.

Download System Security Suite here:
System Security Suite Download & Tutorial. Unzip it to your desktop.
Install the program. Don't use it yet.

Download the Hoster from here. Save it on your desktop.

Copy the contents of the Quote box to Notepad, and save in a location of your choice (on your desktop for example) as repair.reg (make sure to save as type: "All Files")

REGEDIT4

[-HKEY_CLASSES_ROOT\Interface\{0D721150-AEF3-457B-B03A-5097B623CE45}]
[-HKEY_CLASSES_ROOT\Plugin6.DNSErrObj]
[-HKEY_CLASSES_ROOT\redalert.here]
[-HKEY_CLASSES_ROOT\TypeLib\{444A5674-FF85-45D4-9AE2-4199D8D70C85}]


Please print or copy these instructions because you are not able to access the Internet in SafeMode.

Make sure you are set to show hidden files and folders:
A. On the Tools menu in Windows Explorer, click Folder Options.
B. Click the View tab.
C. Under Hidden files and folders, click Show hidden files and folders.
D. Uncheck Hide extensions for known filetypes and Hide protected operating system files.
How to see hidden files in Windows

REBOOT into SafeMode by tapping F8 key repeatedly at bootup: Starting your computer in Safe mode

Run HijackThis!, press Scan, and put a check mark next to all these:

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/5/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.e4me.com/start.html
R3 - URLSearchHook: (no name) - _{0199DF25-9820-4bd5-9FEE-5A765AB4371E} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O4 - HKLM\..\Run: [MSMGT] C:\WINDOWS\MSMGT.EXE
O4 - HKLM\..\Run: [31237.exe] 31237.exe
O4 - HKLM\..\Run: [CMESys] "C:\PROGRAM FILES\COMMON FILES\CMEII\CMESYS.EXE"
O4 - HKLM\..\Run: [ysccdtmhmjv] C:\WINDOWS\SYSTEM\wxtvvk.exe
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [CONSCORR] C:\WINDOWS\CONSCORR.exe
O4 - HKLM\..\Run: [P2P NETWORKING] C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE /AUTOSTART
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [satmat] C:\WINDOWS\SATMAT.exe
O4 - HKLM\..\Run: [Control handler] C:\WINDOWS\SYSTEM\ZEBP8GF9GLB3YPTHD.EXE
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKCU\..\Run: [romahere3] C:\WINDOWS\SYSTEM\B0KC9XNR95ZED.EXE
O4 - Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partner...kII/install.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -


Close all other windows and browsers, and press the Fix Checked button.

Search for these files and delete them if found:
C:\WINDOWS\MSMGT.EXE <-- this file
31237.exe <-- this file
C:\WINDOWS\SYSTEM\wxtvvk.exe <-- this file
C:\WINDOWS\CONSCORR.exe <-- this file
C:\WINDOWS\SATMAT.exe <-- this file
C:\WINDOWS\SYSTEM\ZEBP8GF9GLB3YPTHD.EXE <-- this file
C:\WINDOWS\SYSTEM\B0KC9XNR95ZED.EXE <-- this file

Delete these folders:
C:\PROGRAM FILES\COMMON FILES\CMEII\ <-- this folder
C:\Program Files\Common files\updmgr\ <-- this folder
C:\WINDOWS\SYSTEM\P2P NETWORKING\ <-- this folder
c:\program files\altnet\ <-- this folder
C:\Program Files\ISTsvc\ <-- this folder
C:\Program Files\Common Files\GMT\ <-- this folder

Make sure all browser windows are closed and run cwshredder.exe to start the program and click on the FIX button (not the "Scan only" button) and let it scan your computer.

Run AdAware, press the "Start" button, uncheck "Scan for negligible risk entries", select "Perform full system scan" and press "Next". Let AdAware remove anything it finds.

With all windows and browsers closed.
Clean out temporary and Temporary Internet Files.
A. Open System Security Suite.
B. In the Items to Clear tab thick:
- Internet Explorer (left pane): Cookies & Temporary files
- My Computer (right pane): Temporary files & Recycle Bin
Press the Clear Selected Items button.
Close the program.

Open Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button. This may take quite a while, so do not be alarmed with how long it takes. When it is done, your Temporary Internet Files will now be deleted.

Run Hoster, press Restore Original Hosts and press OK. Exit Program. This will restore the original deleted Hosts file.

Locate on your desktop repair.reg, doubleclick it, and answer Yes when prompted to add its contents to the Registry, then restart your computer.

REBOOT normally.

Run HijackThis! again and post a new log please.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#3 messed_up

messed_up
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:10 AM

Posted 02 December 2004 - 09:49 PM

:inlove: :trumpet: :flowers:
wow... not to act so juvenile but those pretty much sum up my feelings right now. the browser actually opened up to something other than t.swapx.cc for the first time in a long time. Thank you so much for all the help, the instructions were pretty easy to follow. Great advice, and I think it really worked. I'll be looking into those other file-sharing programs that you suggested. I never knew Kazaa was the (possible) source of my problems. Thank you so much.

so here's the hijack log as per request:

Logfile of HijackThis v1.98.2
Scan saved at 10:40:55 PM, on 12/2/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\OFFICE51\SOINTGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ICHOOSE\NAG.EXE
C:\PROGRAM FILES\ESOFT\EBOARD\EBOARD.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\EWARE\IWARE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] systray.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ATIGART] c:\ati\gart\atigart.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\OFFICE51\SOINTGR.EXE
O4 - HKLM\..\Run: [iCn] C:\PROGRAM FILES\ICHOOSE\NAG.EXE
O4 - HKLM\..\Run: [eMachine eBoard] C:\PROGRA~1\ESOFT\EBOARD\eBoard.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SO5 Integrator Pass One] C:\OFFICE51\SOINTGR.EXE
O4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: eWare Startup.lnk = C:\Program Files\eWare\iWareStart.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O14 - IERESET.INF: START_PAGE_URL=www.e4me.com
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = nb.aibn.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 198.164.30.2,198.164.4.2


Just one more thing, I was wondering how I could prevent this sort of thing from happening again.

Thanks again! :thumbsup:

#4 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:01:10 AM

Posted 03 December 2004 - 04:59 AM

Hi

Please print or copy these instructions because you are not able to access the Internet in SafeMode.

Make sure you are set to show hidden files and folders:
A. On the Tools menu in Windows Explorer, click Folder Options.
B. Click the View tab.
C. Under Hidden files and folders, click Show hidden files and folders.
D. Uncheck Hide extensions for known filetypes and Hide protected operating system files.
How to see hidden files in Windows

REBOOT into SafeMode by tapping F8 key repeatedly at bootup: Starting your computer in Safe mode

Run HijackThis!, press Scan, and put a check mark next to all these (note the two optionals):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

Optional:
iChoose - shopping browser enhancement that alerts you to cheaper deals for goods you want to buy, if they exist, probably you can uninstall this from Add\Remove Programs first (?)
O4 - HKLM\..\Run: [iCn] C:\PROGRAM FILES\ICHOOSE\NAG.EXE

eWare iWare task bar - Sage CRM Mid Market Edition, probably you can uninstall this from Add\Remove Programs first (?)
O4 - Startup: eWare Startup.lnk = C:\Program Files\eWare\iWareStart.exe

Close all other windows and browsers, and press the Fix Checked button.

Delete these folders:
C:\Program Files\eWare\ <-- this folder, OPTIONAL, delete it only if you want to remove eWare iWare
C:\PROGRAM FILES\ICHOOSE\ <-- this folder, OPTIONAL, delete it only if you want to remove iChoose

Empty the Recycle Bin.

REBOOT normally.

Run HijackThis! again and post a new log please.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#5 messed_up

messed_up
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:10 AM

Posted 04 December 2004 - 09:47 PM

here's the hijackThis log...

Logfile of HijackThis v1.98.2
Scan saved at 10:44:15 PM, on 12/4/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\OFFICE51\SOINTGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ESOFT\EBOARD\EBOARD.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] systray.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ATIGART] c:\ati\gart\atigart.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\OFFICE51\SOINTGR.EXE
O4 - HKLM\..\Run: [eMachine eBoard] C:\PROGRA~1\ESOFT\EBOARD\eBoard.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SO5 Integrator Pass One] C:\OFFICE51\SOINTGR.EXE
O4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O14 - IERESET.INF: START_PAGE_URL=www.e4me.com
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = nb.aibn.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 198.164.30.2,198.164.4.2


everything seem okay?

#6 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:01:10 AM

Posted 05 December 2004 - 04:47 AM

everything seem okay?

No :thumbsup:

! This is very important !: Update your outdated Internet Explorer browser. Doing this will make your computer more secure. Please visit Windows Update (follow this link: http://www.windowsupdate.com) to update your browser. Follow the instructions on the screen. You may have to visit more then once Windows Update to install all updates.
Not updating Internet Explorer will leave your computer vulnerable to malware and attacks.

After the installation of the last update make sure you REBOOT the computer, run HijackThis again and post a new log please.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#7 messed_up

messed_up
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:10 AM

Posted 08 December 2004 - 02:33 PM

crossing my fingers... hopefully everything is fixed now.


Logfile of HijackThis v1.98.2
Scan saved at 3:22:38 PM, on 12/8/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\OFFICE51\SOINTGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ESOFT\EBOARD\EBOARD.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\WINMX\WINMX.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] systray.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ATIGART] c:\ati\gart\atigart.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\OFFICE51\SOINTGR.EXE
O4 - HKLM\..\Run: [eMachine eBoard] C:\PROGRA~1\ESOFT\EBOARD\eBoard.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SO5 Integrator Pass One] C:\OFFICE51\SOINTGR.EXE
O4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = nb.aibn.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 198.164.30.2,198.164.4.2


thanx again.

#8 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:01:10 AM

Posted 08 December 2004 - 03:38 PM

hopefully everything is fixed now.

Yes, the log looks clean...great job ! :thumbsup:

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

How did I get infected?, With steps so it does not happen again!

Glad I was able to help.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users