Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT log - Tadhg


  • Please log in to reply
2 replies to this topic

#1 Tadhg

Tadhg

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 12 December 2004 - 01:15 PM

Hi,

My homepage is set to: http://win-eto.com/hp.htm?id=543
and I can't change it.

When I launch my browser, I get random search sites, example:
http://t.swapx.cc/h.php?aid=543&said=ce100

Results of HJT scan:

Logfile of HijackThis v1.98.2
Scan saved at 17:43:04, on 12/12/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SA3DSRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEAUI.EXE
C:\COMPAQ\INTERNET\WATCHDOG.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\O1J4HGVP87K4MTHD.EXE
C:\DTBTSH.EXE
C:\PROGRAM FILES\ISTSVC\ISTSVC.EXE
C:\WINDOWS\SYSTEM\IPD7M9SXS0FF9L.EXE
C:\PROGRAM FILES\INTROREG\PIPELINE\REMIND32.EXE
C:\CPQS\BACKWEB\PROGRAM\BACKWEB.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\COMPAQ\ON-SCREEN DISPLAY\OSD.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.iol.ie/en/ie_search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirec...&s=search&i=enu
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=543
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.iol.ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirec...&s=search&i=enu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirec...&s=search&i=enu
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.presario.net/scripts/redirec...&query=%s&i=enu
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Ireland On-Line
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F1 - win.ini: run=C:\CPQS\BACKWEB\HELP\QRUNQ.PIF, hpfsched
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\SYSTEM\KE1ZCI~1.DLL
O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E79D4EC6F806} - C:\WINDOWS\SYSTEM\SDTDPSD.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe /NORESTART
O4 - HKLM\..\Run: [CPQEASYACC] C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\Cpqeaui.exe
O4 - HKLM\..\Run: [Essdc] essdc.exe
O4 - HKLM\..\Run: [Aureal A3D Interactive Audio Init] A3dInit.exe
O4 - HKLM\..\Run: [Compaq Internet Setup] C:\Compaq\Internet\InetWizard.exe /RUN
O4 - HKLM\..\Run: [Watch Dog Program] C:\COMPAQ\INTERNET\WATCHDOG.EXE
O4 - HKLM\..\Run: [AMDK6Patch] C:\Compaq\Support\K6CPU.exe
O4 - HKLM\..\Run: [BCWipeTM Startup] "C:\Program Files\Jetico\BCWipe\BCWipeTM.exe" startup
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Control handler] C:\WINDOWS\SYSTEM\O1J4HGVP87K4MTHD.EXE
O4 - HKLM\..\Run: [5mCUaiea] C:\DTBTSH.EXE
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [0 44}5]C:\Program Files\ISTsvc\istsvc.exe] C:\DTBTSH.EXE
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Aureal A3D Interactive Audio] sa3dsrv.exe
O4 - HKCU\..\Run: [romahere3] C:\WINDOWS\SYSTEM\IPD7M9SXS0FF9L.EXE
O4 - Startup: Reminder-cpq40302.lnk = C:\Program Files\introreg\PIPELINE\REMIND32.EXE
O4 - Startup: BackWeb.lnk = C:\CPQS\BackWeb\Program\backweb.exe
O4 - Startup: Billminder.lnk = C:\QUICKENW\billmind.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Mail - {8E3AEE80-1A46-11D9-A0EC-F9B3772A156D} - C:\Program Files\Outlook Express\msimn.exe (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://home.iol.ie
O16 - DPF: Win32 Classes - file://c:\windows\Java\classes\win32ie4.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?323
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/22805645917e32...ip/RdxIE601.cab

BC AdBot (Login to Remove)

 


m

#2 penmore

penmore

    Malware Sniffer


  • Members
  • 757 posts
  • OFFLINE
  •  
  • Location:West Coast of Scotland
  • Local time:06:27 PM

Posted 13 December 2004 - 02:18 PM

Hi Tadhg,

I'll be responsible for looking at your log. Please be patient whilst I review it. I will get back to you as soon as possible with information on how to proceed.

#3 penmore

penmore

    Malware Sniffer


  • Members
  • 757 posts
  • OFFLINE
  •  
  • Location:West Coast of Scotland
  • Local time:06:27 PM

Posted 14 December 2004 - 03:17 AM

Hi Tadhg,


The version of Internet Explorer that you are using is unpatched and you are lacking in any form of Anti Virus protection. Before we can start to tidy your machine I need you to do the following:
  • Please visit the this link and download the latest version of Internet Explorer for your operating system (SP1). This can be obtained from this link to the Microsoft website.
  • Please visit the Grisoft website and download the latest version of AVG Anti Virus V7.296 Install the software and download any updates that are available. Double click on the AVG logo and click on the Scan Computer button. Allow AVG to perform a complete scan of your system.
  • Reboot your machine, run HijackThis and post a post a new log here so we can tackle the remaining infections.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users