Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help with HJT log


  • This topic is locked This topic is locked
7 replies to this topic

#1 JazeGrly

JazeGrly

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:28 AM

Posted 16 December 2004 - 07:57 PM

Hi-
My sisters system is running real slow and gets locked up alot. I have run Spybot S&D and Adaware and it seemed to help alittle, but I know there are alot of things going on here that shouldn't be. Thanks for your help!!

Logfile of HijackThis v1.99.0
Scan saved at 6:49:53 PM, on 12/16/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WTOOLSA.EXE
C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WSUP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\IBMTOOLS\APTEZBTN\APTEZBP.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\CSAFE\AUTOCHK.EXE
C:\PROGRAM FILES\VISIONEER ONETOUCH\ONETOUCHMON.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\DLINK.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\DWSJVVA.EXE
C:\WINDOWS\TEMP\KPVGPZC.EXE
C:\WINDOWS\180AX.EXE
C:\WINDOWS\MEDLOAD.EXE
C:\WINDOWS\APPLICATION DATA\EEOA.EXE
C:\WINDOWS\SYSTEM\CFTT.EXE
C:\PROGRAM FILES\PALM\HOTSYNC.EXE
C:\WINDOWS\WEB\CRMC.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50141
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cox.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://server224.smartbotpro.net/7search/?003-nhp
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\TV MEDIA\TVMBHO.DLL
O2 - BHO: CATLEvents Object - {68132581-10F2-416E-B188-4E648075325A} - C:\WINDOWS\TEMP\OFNICP.DAT
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSB.DLL
O2 - BHO: CATLEvents Object - {02F96FB7-8AF6-439B-B7BA-2F952F9E4800} - C:\WINDOWS\TEMP\CMRC.DAT
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AEZBProc] c:\ibmtools\aptezbtn\aptezbp.exe
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [ConfigSafe] C:\CSAFE\AUTOCHK.EXE
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [NetworkSetup] c:\windows\DLink.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [dupjlqmm] C:\WINDOWS\rvrrmofx.exe
O4 - HKLM\..\Run: [TV Media] C:\TV MEDIA\Tvm.exe
O4 - HKLM\..\Run: [pxfmhojjalf] C:\WINDOWS\SYSTEM\dwsjvva.exe
O4 - HKLM\..\Run: [LOGBIN] C:\WINDOWS\CONFIG\LOGBIN.EXE
O4 - HKLM\..\Run: [*LOGBIN] C:\WINDOWS\CONFIG\LOGBIN.EXE
O4 - HKLM\..\Run: [*LOGIMG] C:\WINDOWS\HELP\LOGIMG.EXE
O4 - HKLM\..\Run: [*DVDFTP] C:\WINDOWS\SPEECH\DVDFTP.EXE
O4 - HKLM\..\Run: [*RUNAP] C:\WINDOWS\APPPATCH\RUNAP.EXE
O4 - HKLM\..\Run: [*TAPIFAX] C:\WINDOWS\WINDOWS UPDATE SETUP FILES\TAPIFAX.EXE
O4 - HKLM\..\Run: [*ABRCMD] C:\WINDOWS\HELP\MMC\ABRCMD.EXE
O4 - HKLM\..\Run: [*CRFONT] C:\WINDOWS\WINDOWS UPDATE SETUP FILES\CRFONT.EXE
O4 - HKLM\..\Run: [*PSFTP] C:\WINDOWS\APPPATCH\PSFTP.EXE
O4 - HKLM\..\Run: [*BASDVD] C:\WINDOWS\JAVA\TRUSTLIB\BASDVD.EXE
O4 - HKLM\..\Run: [function redirec] c:\WINDOWS\System\function redirect(){
O4 - HKLM\..\Run: [*SVRDLL] C:\WINDOWS\CURSORS\SVRDLL.EXE
O4 - HKLM\..\Run: [*ANTIDOC] C:\WINDOWS\SPEECH\ANTIDOC.EXE
O4 - HKLM\..\Run: [*MC] C:\WINDOWS\TASKS\MC.EXE
O4 - HKLM\..\Run: [Kpvgpzc] C:\WINDOWS\TEMP\KPVGPZC.EXE
O4 - HKLM\..\Run: [180ax] c:\windows\180ax.exe
O4 - HKLM\..\Run: [loads.exe] C:\WINDOWS\medload.exe
O4 - HKLM\..\Run: [lmdcr] C:\WINDOWS\lmdcr.exe
O4 - HKLM\..\Run: [*acjava] C:\WINDOWS\APPPATCH\ACJAVA.EXE
O4 - HKLM\..\Run: [*vsscmd] C:\WINDOWS\FONTS\VSSCMD.EXE
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKLM\..\RunOnce: [*crmc] C:\WINDOWS\WEB\CRMC.EXE rerun
O4 - HKLM\..\RunServicesOnce: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE /boot
O4 - HKCU\..\Run: [TV Media] C:\TV MEDIA\Tvm.exe
O4 - HKCU\..\Run: [Asow] C:\WINDOWS\Application Data\eeoa.exe
O4 - HKCU\..\Run: [function redirec] c:\WINDOWS\System\function redirect(){
O4 - HKCU\..\Run: [Tgei] C:\WINDOWS\SYSTEM\cftt.exe
O4 - HKCU\..\RunServices: [TV Media] C:\TV MEDIA\Tvm.exe
O4 - HKCU\..\RunServices: [Asow] C:\WINDOWS\Application Data\eeoa.exe
O4 - HKCU\..\RunServices: [function redirec] c:\WINDOWS\System\function redirect(){
O4 - HKCU\..\RunServices: [Tgei] C:\WINDOWS\SYSTEM\cftt.exe
O4 - HKCU\..\RunOnce: [*WinLogon] C:\WINDOWS\JAVA\TRUSTLIB\JPEGMSVC.EXE ren my_time:1103237207
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: updater.lnk = C:\Program Files\Common Files\updater\wupdater.exe
O8 - Extra context menu item: Add To CheckIt &86 Trust List - C:\PROGRA~1\CHECKIT\86\AddToTrustList.js
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE (file missing)
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://wdownload.weatherbug.com/minibug/tr...uginstaller.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup145.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} (IObjSafety.DemoCtl) - http://cabs.media-motor.net/cabs/diamond.cab

BC AdBot (Login to Remove)

 


m

#2 raw

raw

    Bleeping Hacker


  • Members
  • 2,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:04:28 AM

Posted 16 December 2004 - 11:23 PM

  • Download the FixVundo.exe file from: http://securityresponse.symantec.com/avcenter/FixVundo.exe
  • Save the file to a convenient location, such as your Windows desktop.
  • Close all the running programs.
  • If you are on a network or if you have a full-time connection to the Internet, disconnect the computer from the network and the Internet.
  • Locate the file that you just downloaded.
  • Double-click the FixVundo.exe file to start the removal tool.
  • Click Start to begin the process, and then allow the tool to run.

    Important: Do not launch any new applications while the tool is running.

  • Restart the computer.
  • Run the removal tool again to ensure that the system is clean.
===========================
Go here to download the free version of Grisoft's AVG AntiVirus program.

Install the program, check for updates and scan your system allowing it to remove whatever it finds.

Post a new log.

rawsig.png

 rawcreations.net          @raw_creations


Current systems: WHAT OS, BackTrack-raw, PCLinuxOS, Peppermint OS 6, Kali Linux

and a custom Linux From Scratch server hosting a bunch of top secret stuff.


#3 JazeGrly

JazeGrly
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:28 AM

Posted 19 December 2004 - 03:08 PM

Thanks for youur response. I have followed your instructions and here is my new log.
Logfile of HijackThis v1.99.0
Scan saved at 2:57:27 PM, on 12/19/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WTOOLSA.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WSUP.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\IBMTOOLS\APTEZBTN\APTEZBP.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\CSAFE\AUTOCHK.EXE
C:\PROGRAM FILES\VISIONEER ONETOUCH\ONETOUCHMON.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\DLINK.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\TEMP\KPVGPZC.EXE
C:\WINDOWS\180AX.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\APPLICATION DATA\EEOA.EXE
C:\WINDOWS\SYSTEM\CFTT.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\PALM\HOTSYNC.EXE
C:\WINDOWS\JAVA\CLASSES\DOSBAK.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50141
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cox.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50141
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://server224.smartbotpro.net/7search/?003-nhp
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50141
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\TV MEDIA\TVMBHO.DLL
O2 - BHO: CATLEvents Object - {68132581-10F2-416E-B188-4E648075325A} - C:\WINDOWS\TEMP\3PMCVSM.DAT
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSB.DLL
O2 - BHO: CATLEvents Object - {13589181-4F0D-4553-B9F8-B4B72172C139} - C:\WINDOWS\TEMP\KABSOD.DAT
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AEZBProc] c:\ibmtools\aptezbtn\aptezbp.exe
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [ConfigSafe] C:\CSAFE\AUTOCHK.EXE
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [NetworkSetup] c:\windows\DLink.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [dupjlqmm] C:\WINDOWS\rvrrmofx.exe
O4 - HKLM\..\Run: [TV Media] C:\TV MEDIA\Tvm.exe
O4 - HKLM\..\Run: [pxfmhojjalf] C:\WINDOWS\SYSTEM\dwsjvva.exe
O4 - HKLM\..\Run: [LOGBIN] C:\WINDOWS\CONFIG\LOGBIN.EXE
O4 - HKLM\..\Run: [*LOGBIN] C:\WINDOWS\CONFIG\LOGBIN.EXE
O4 - HKLM\..\Run: [*LOGIMG] C:\WINDOWS\HELP\LOGIMG.EXE
O4 - HKLM\..\Run: [*DVDFTP] C:\WINDOWS\SPEECH\DVDFTP.EXE
O4 - HKLM\..\Run: [*RUNAP] C:\WINDOWS\APPPATCH\RUNAP.EXE
O4 - HKLM\..\Run: [*TAPIFAX] C:\WINDOWS\WINDOWS UPDATE SETUP FILES\TAPIFAX.EXE
O4 - HKLM\..\Run: [*ABRCMD] C:\WINDOWS\HELP\MMC\ABRCMD.EXE
O4 - HKLM\..\Run: [*CRFONT] C:\WINDOWS\WINDOWS UPDATE SETUP FILES\CRFONT.EXE
O4 - HKLM\..\Run: [*PSFTP] C:\WINDOWS\APPPATCH\PSFTP.EXE
O4 - HKLM\..\Run: [function redirec] c:\WINDOWS\System\function redirect(){
O4 - HKLM\..\Run: [*SVRDLL] C:\WINDOWS\CURSORS\SVRDLL.EXE
O4 - HKLM\..\Run: [*ANTIDOC] C:\WINDOWS\SPEECH\ANTIDOC.EXE
O4 - HKLM\..\Run: [*MC] C:\WINDOWS\TASKS\MC.EXE
O4 - HKLM\..\Run: [Kpvgpzc] C:\WINDOWS\TEMP\KPVGPZC.EXE
O4 - HKLM\..\Run: [180ax] c:\windows\180ax.exe
O4 - HKLM\..\Run: [lmdcr] C:\WINDOWS\lmdcr.exe
O4 - HKLM\..\Run: [*acjava] C:\WINDOWS\APPPATCH\ACJAVA.EXE
O4 - HKLM\..\Run: [*vsscmd] C:\WINDOWS\FONTS\VSSCMD.EXE
O4 - HKLM\..\Run: [*dosvga] C:\WINDOWS\WINDOWS UPDATE SETUP FILES\DOSVGA.EXE
O4 - HKLM\..\Run: [*faxxml] C:\WINDOWS\WINDOWS UPDATE SETUP FILES\FAXXML.EXE
O4 - HKLM\..\Run: [*fonttcp] C:\WINDOWS\FONTTCP.EXE
O4 - HKLM\..\Run: [*iisvb] C:\WINDOWS\CONFIG\IISVB.EXE
O4 - HKLM\..\Run: [*oleodbc] C:\WINDOWS\MSAGENT\OLEODBC.EXE
O4 - HKLM\..\Run: [*pcinfo] C:\WINDOWS\APPPATCH\PCINFO.EXE
O4 - HKLM\..\Run: [*runs] C:\WINDOWS\SYSTEM32\RUNS.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [*drvodbc] C:\WINDOWS\INF\I386\DRVODBC.EXE
O4 - HKLM\..\Run: [*cmp3] C:\WINDOWS\MSAGENT\CMP3.EXE
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKLM\..\RunServicesOnce: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE /boot
O4 - HKCU\..\Run: [TV Media] C:\TV MEDIA\Tvm.exe
O4 - HKCU\..\Run: [Asow] C:\WINDOWS\Application Data\eeoa.exe
O4 - HKCU\..\Run: [function redirec] c:\WINDOWS\System\function redirect(){
O4 - HKCU\..\Run: [Tgei] C:\WINDOWS\SYSTEM\cftt.exe
O4 - HKCU\..\Run: [AVG7_Run] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGW.EXE /RUNONCE
O4 - HKCU\..\RunServices: [TV Media] C:\TV MEDIA\Tvm.exe
O4 - HKCU\..\RunServices: [Asow] C:\WINDOWS\Application Data\eeoa.exe
O4 - HKCU\..\RunServices: [function redirec] c:\WINDOWS\System\function redirect(){
O4 - HKCU\..\RunServices: [Tgei] C:\WINDOWS\SYSTEM\cftt.exe
O4 - HKCU\..\RunServices: [AVG7_Run] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGW.EXE /RUNONCE
O4 - HKCU\..\RunOnce: [*WinLogon] C:\WINDOWS\SPEECH\EXPBAK.EXE ren my_time:1103485494
O4 - HKCU\..\RunServicesOnce: [*WinLogon] C:\WINDOWS\SPEECH\EXPBAK.EXE ren my_time:1103485494
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: updater.lnk = C:\Program Files\Enigma Software Group\SpyHunter\Backup\wupdater.exe.bak
O8 - Extra context menu item: Add To CheckIt &86 Trust List - C:\PROGRA~1\CHECKIT\86\AddToTrustList.js
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE (file missing)
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://wdownload.weatherbug.com/minibug/tr...uginstaller.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup145.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} (IObjSafety.DemoCtl) - http://cabs.media-motor.net/cabs/diamond.cab

#4 raw

raw

    Bleeping Hacker


  • Members
  • 2,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:04:28 AM

Posted 20 December 2004 - 10:38 AM

I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50141
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50141
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://server224.smartbotpro.net/7search/?003-nhp
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50141
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\TV MEDIA\TVMBHO.DLL
O2 - BHO: CATLEvents Object - {68132581-10F2-416E-B188-4E648075325A} - C:\WINDOWS\TEMP\3PMCVSM.DAT
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSB.DLL
O2 - BHO: CATLEvents Object - {13589181-4F0D-4553-B9F8-B4B72172C139} - C:\WINDOWS\TEMP\KABSOD.DAT
O4 - HKLM\..\Run: [dupjlqmm] C:\WINDOWS\rvrrmofx.exe
O4 - HKLM\..\Run: [TV Media] C:\TV MEDIA\Tvm.exe
O4 - HKLM\..\Run: [pxfmhojjalf] C:\WINDOWS\SYSTEM\dwsjvva.exe
O4 - HKLM\..\Run: [LOGBIN] C:\WINDOWS\CONFIG\LOGBIN.EXE
O4 - HKLM\..\Run: [*LOGBIN] C:\WINDOWS\CONFIG\LOGBIN.EXE
O4 - HKLM\..\Run: [*LOGIMG] C:\WINDOWS\HELP\LOGIMG.EXE
O4 - HKLM\..\Run: [*DVDFTP] C:\WINDOWS\SPEECH\DVDFTP.EXE
O4 - HKLM\..\Run: [*RUNAP] C:\WINDOWS\APPPATCH\RUNAP.EXE
O4 - HKLM\..\Run: [*TAPIFAX] C:\WINDOWS\WINDOWS UPDATE SETUP FILES\TAPIFAX.EXE
O4 - HKLM\..\Run: [*ABRCMD] C:\WINDOWS\HELP\MMC\ABRCMD.EXE
O4 - HKLM\..\Run: [*CRFONT] C:\WINDOWS\WINDOWS UPDATE SETUP FILES\CRFONT.EXE
O4 - HKLM\..\Run: [*PSFTP] C:\WINDOWS\APPPATCH\PSFTP.EXE
O4 - HKLM\..\Run: [function redirec] c:\WINDOWS\System\function redirect(){
O4 - HKLM\..\Run: [*SVRDLL] C:\WINDOWS\CURSORS\SVRDLL.EXE
O4 - HKLM\..\Run: [*ANTIDOC] C:\WINDOWS\SPEECH\ANTIDOC.EXE
O4 - HKLM\..\Run: [*MC] C:\WINDOWS\TASKS\MC.EXE
O4 - HKLM\..\Run: [Kpvgpzc] C:\WINDOWS\TEMP\KPVGPZC.EXE
O4 - HKLM\..\Run: [180ax] c:\windows\180ax.exe
O4 - HKLM\..\Run: [lmdcr] C:\WINDOWS\lmdcr.exe
O4 - HKLM\..\Run: [*acjava] C:\WINDOWS\APPPATCH\ACJAVA.EXE
O4 - HKLM\..\Run: [*vsscmd] C:\WINDOWS\FONTS\VSSCMD.EXE
O4 - HKLM\..\Run: [*dosvga] C:\WINDOWS\WINDOWS UPDATE SETUP FILES\DOSVGA.EXE
O4 - HKLM\..\Run: [*faxxml] C:\WINDOWS\WINDOWS UPDATE SETUP FILES\FAXXML.EXE
O4 - HKLM\..\Run: [*fonttcp] C:\WINDOWS\FONTTCP.EXE
O4 - HKLM\..\Run: [*iisvb] C:\WINDOWS\CONFIG\IISVB.EXE
O4 - HKLM\..\Run: [*oleodbc] C:\WINDOWS\MSAGENT\OLEODBC.EXE
O4 - HKLM\..\Run: [*pcinfo] C:\WINDOWS\APPPATCH\PCINFO.EXE
O4 - HKLM\..\Run: [*runs] C:\WINDOWS\SYSTEM32\RUNS.EXE
O4 - HKLM\..\Run: [*drvodbc] C:\WINDOWS\INF\I386\DRVODBC.EXE
O4 - HKLM\..\Run: [*cmp3] C:\WINDOWS\MSAGENT\CMP3.EXE
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKLM\..\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKLM\..\RunServicesOnce: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE /boot
O4 - HKCU\..\Run: [TV Media] C:\TV MEDIA\Tvm.exe
O4 - HKCU\..\Run: [Asow] C:\WINDOWS\Application Data\eeoa.exe
O4 - HKCU\..\Run: [function redirec] c:\WINDOWS\System\function redirect(){
O4 - HKCU\..\Run: [Tgei] C:\WINDOWS\SYSTEM\cftt.exe
O4 - HKCU\..\RunOnce: [*WinLogon] C:\WINDOWS\SPEECH\EXPBAK.EXE ren my_time:1103485494
O4 - HKCU\..\RunServicesOnce: [*WinLogon] C:\WINDOWS\SPEECH\EXPBAK.EXE ren my_time:1103485494
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} (IObjSafety.DemoCtl) - http://cabs.media-motor.net/cabs/diamond.cab

Reboot your computer into Safe Mode

Then delete these files or folders (Do not be concerned if they do not exist)

C:\TV MEDIA\TVMBHO.DLL
C:\WINDOWS\TEMP\3PMCVSM.DAT
C:\PROGRA~1\COMMON~1\WINTOOLS\<-Delete Wintools Folder
C:\WINDOWS\TEMP\KABSOD.DAT
C:\WINDOWS\SYSTEM\dwsjvva.exe
C:\WINDOWS\CONFIG\LOGBIN.EXE
C:\WINDOWS\HELP\LOGIMG.EXE
C:\WINDOWS\SPEECH\DVDFTP.EXE
C:\WINDOWS\APPPATCH\RUNAP.EXE
C:\WINDOWS\WINDOWS UPDATE SETUP FILES\TAPIFAX.EXE
C:\WINDOWS\HELP\MMC\ABRCMD.EXE
C:\WINDOWS\WINDOWS UPDATE SETUP FILES\CRFONT.EXE
C:\WINDOWS\APPPATCH\PSFTP.EXE
c:\WINDOWS\System\function redirect(){
C:\WINDOWS\CURSORS\SVRDLL.EXE
C:\WINDOWS\SPEECH\ANTIDOC.EXE
C:\WINDOWS\TASKS\MC.EXE
C:\WINDOWS\TEMP\KPVGPZC.EXE
c:\windows\180ax.exe
C:\WINDOWS\lmdcr.exe
C:\WINDOWS\APPPATCH\ACJAVA.EXE
C:\WINDOWS\FONTS\VSSCMD.EXE
C:\WINDOWS\WINDOWS UPDATE SETUP FILES\DOSVGA.EXE
C:\WINDOWS\WINDOWS UPDATE SETUP FILES\FAXXML.EXE
C:\WINDOWS\FONTTCP.EXE
C:\WINDOWS\CONFIG\IISVB.EXE
C:\WINDOWS\MSAGENT\OLEODBC.EXE
C:\WINDOWS\APPPATCH\PCINFO.EXE
C:\WINDOWS\SYSTEM32\RUNS.EXE
C:\WINDOWS\INF\I386\DRVODBC.EXE
C:\WINDOWS\MSAGENT\CMP3.EXE
C:\PROGRA~1\COMMON~1\WINTOOLS <-Delete Wintools Folder
C:\TV MEDIA\Tvm.exe <-Delete TV MEDIA Folder
C:\WINDOWS\Application Data\eeoa.exe
c:\WINDOWS\System\function redirect(){
C:\WINDOWS\SYSTEM\cftt.exe
C:\WINDOWS\SPEECH\EXPBAK.EXE
C:\WINDOWS\SPEECH\EXPBAK.EXE


Reboot your computer to go back to normal mode and post a new log.

rawsig.png

 rawcreations.net          @raw_creations


Current systems: WHAT OS, BackTrack-raw, PCLinuxOS, Peppermint OS 6, Kali Linux

and a custom Linux From Scratch server hosting a bunch of top secret stuff.


#5 JazeGrly

JazeGrly
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:28 AM

Posted 20 December 2004 - 09:18 PM

I followed your instructions again...here is my log. There have been some funky error messages comming up on boot-up since I've been trying to correct all this CRAP. I'm going to snap some screen shots for you to look at, maybe you could give me some advise on those as well. It would GREATLY appreciated. Thanks again, you have been a savior!!!

Logfile of HijackThis v1.99.0
Scan saved at 9:10:04 PM, on 12/20/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\IBMTOOLS\APTEZBTN\APTEZBP.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\CSAFE\AUTOCHK.EXE
C:\PROGRAM FILES\VISIONEER ONETOUCH\ONETOUCHMON.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\DLINK.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\WEB\ODBCEULA.EXE
C:\PROGRAM FILES\PALM\HOTSYNC.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50141
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cox.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50141
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50141
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSB.DLL (file missing)
O2 - BHO: CATLEvents Object - {D487068E-9B04-4FE5-8A83-08344F800BF5} - C:\WINDOWS\TEMP\ALUECBDO.DAT
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSB.DLL (file missing)
O2 - BHO: IEBho Class - {D8E25C53-9508-4f5c-9249-D98D438891D5} - C:\WINDOWS\SYSTEM\SSURF022.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AEZBProc] c:\ibmtools\aptezbtn\aptezbp.exe
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [ConfigSafe] C:\CSAFE\AUTOCHK.EXE
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [NetworkSetup] c:\windows\DLink.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [*playwin] C:\WINDOWS\INF\INFBACK\PLAYWIN.EXE
O4 - HKLM\..\Run: [*dbwms] C:\WINDOWS\APPPATCH\DBWMS.EXE
O4 - HKLM\..\Run: [TV Media] C:\TV MEDIA\Tvm.exe
O4 - HKLM\..\Run: [XupiterStartup] C:\Program Files\Xupiter\XupiterStartup2003.exe
O4 - HKLM\..\Run: [XupiterCfgLoader] C:\Program Files\Xupiter\XTCfgLoader.exe
O4 - HKLM\..\Run: [MoviePlace] "C:\Program Files\MoviePlace\MoviePlace.exe" /H
O4 - HKLM\..\Run: [FileFreedom_Plugin] C:\PROGRAM FILES\FILEFREEDOM\wtm.exe
O4 - HKLM\..\Run: [DownloadWare] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [SearchEnhancement] "C:\PROGRAM FILES\SCBAR\V1\SCBAR.EXE" /U
O4 - HKLM\..\Run: [SafeSurfingUpdate] C:\WINDOWS\SYSTEM\SSUpdate.exe
O4 - HKLM\..\Run: [BELT] C:\WINDOWS\BELT.exe
O4 - HKLM\..\Run: [Antivirus] C:\WINDOWS\AV.EXE
O4 - HKLM\..\Run: [MemoryMeter] C:\PROGRAM FILES\MEMORYMETER\MEMORYMETER.EXE
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe C:\PROGRA~1\WILDTA~1\APPS\CDA\CDAENG~1.DLL,cdaEngineMain
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKLM\..\Run: [*odbceula] C:\WINDOWS\WEB\ODBCEULA.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKLM\..\RunOnce: [*odbceula] C:\WINDOWS\WEB\ODBCEULA.EXE rerun
O4 - HKCU\..\Run: [TV Media] C:\TV MEDIA\Tvm.exe
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\SCANSOFT\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Download Plus.lnk = C:\WINDOWS\Application Data\DownloadPlus.exe
O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: updater.lnk = C:\Program Files\Enigma Software Group\SpyHunter\Backup\XupiterToolbarInstaller.exe.bak
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE (file missing)
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://wdownload.weatherbug.com/minibug/tr...uginstaller.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup145.cab

Also note, as per your note, some of the items you wanted me to remove were not on the list. Not sure this means anything. The improvement so far has been 200% !!

#6 raw

raw

    Bleeping Hacker


  • Members
  • 2,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:04:28 AM

Posted 20 December 2004 - 11:45 PM

Still have a few that wont play nice so for this round

Download KillBox here: KillBox. Unzip it to your desktop.Don't use it yet.

Disconnect from the Internet

Reboot your computer into Safe Mode

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50141
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50141
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50141
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSB.DLL (file missing)
O2 - BHO: CATLEvents Object - {D487068E-9B04-4FE5-8A83-08344F800BF5} - C:\WINDOWS\TEMP\ALUECBDO.DAT
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSB.DLL (file missing)
O2 - BHO: IEBho Class - {D8E25C53-9508-4f5c-9249-D98D438891D5} - C:\WINDOWS\SYSTEM\SSURF022.DLL

O4 - HKLM\..\Run: [*playwin] C:\WINDOWS\INF\INFBACK\PLAYWIN.EXE
O4 - HKLM\..\Run: [*dbwms] C:\WINDOWS\APPPATCH\DBWMS.EXE
O4 - HKLM\..\Run: [TV Media] C:\TV MEDIA\Tvm.exe
O4 - HKLM\..\Run: [XupiterStartup] C:\Program Files\Xupiter\XupiterStartup2003.exe
O4 - HKLM\..\Run: [XupiterCfgLoader] C:\Program Files\Xupiter\XTCfgLoader.exe
O4 - HKLM\..\Run: [MoviePlace] "C:\Program Files\MoviePlace\MoviePlace.exe" /H
O4 - HKLM\..\Run: [FileFreedom_Plugin] C:\PROGRAM FILES\FILEFREEDOM\wtm.exe
O4 - HKLM\..\Run: [DownloadWare] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [SearchEnhancement] "C:\PROGRAM FILES\SCBAR\V1\SCBAR.EXE" /U
O4 - HKLM\..\Run: [SafeSurfingUpdate] C:\WINDOWS\SYSTEM\SSUpdate.exe
O4 - HKLM\..\Run: [BELT] C:\WINDOWS\BELT.exe
O4 - HKLM\..\Run: [Antivirus] C:\WINDOWS\AV.EXE
O4 - HKLM\..\Run: [MemoryMeter] C:\PROGRAM FILES\MEMORYMETER\MEMORYMETER.EXE
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe C:\PROGRA~1\WILDTA~1\APPS\CDA\CDAENG~1.DLL,cdaEngineMain
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKLM\..\Run: [*odbceula] C:\WINDOWS\WEB\ODBCEULA.EXE
O4 - HKCU\..\Run: [TV Media] C:\TV MEDIA\Tvm.exe
O4 - Startup: Download Plus.lnk = C:\WINDOWS\Application Data\DownloadPlus.exe
O4 - Global Startup: updater.lnk = C:\Program Files\Enigma Software Group\SpyHunter\Backup\XupiterToolbarInstaller.exe.bak

Then delete these files or directories (Do not be concerned if they do not exist)

C:\PROGRA~1\COMMON~1\WINTOOLS\ <-Delete WINTOOLS Folder
C:\WINDOWS\SYSTEM\SSURF022.DLL
C:\TV MEDIA\Tvm.exe <-Delete TV Media Folder
C:\Program Files\Xupiter\XupiterStartup2003.exe <-Delete Xupiter Folder
C:\Program Files\Xupiter\XTCfgLoader.exe
C:\Program Files\MoviePlace\MoviePlace.exe <-Delete MoviePlace Folder
C:\PROGRAM FILES\FILEFREEDOM\wtm.exe <-Delete Filefreedom Folder
C:\Program Files\DownloadWare\dw.exe <-Delete Downloadware Folder
C:\PROGRAM FILES\SCBAR\V1\SCBAR.EXE <-Delete SCBAR Folder
C:\WINDOWS\SYSTEM\SSUpdate.exe
C:\WINDOWS\BELT.exe
C:\WINDOWS\AV.EXE
C:\PROGRAM FILES\MEMORYMETER\MEMORYMETER.EXE <-Delete MemoryMeter Folder
C:\Program Files\Internet Optimizer\optimize.exe <-Delete InternetOptimizer Folder
C:\PROGRA~1\WILDTA~1\
C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
C:\TV MEDIA\Tvm.exe
C:\WINDOWS\Application Data\DownloadPlus.exe

Start Killbox.exe

Click on Tools - Delete Temp files

Select the Delete on reboot option.

Copy and paste the line below in the field labeled "Full path of file to delete"
C:\WINDOWS\INF\INFBACK\PLAYWIN.EXE
C:\WINDOWS\APPPATCH\DBWMS.EXE
C:\WINDOWS\WEB\ODBCEULA.EXE

Then press the button that looks like a red circle with a white X in it.
When it asks if you would like to Reboot now, press the NO button until all files have been entered then press YES

Allow it to reboot and post a new log.

rawsig.png

 rawcreations.net          @raw_creations


Current systems: WHAT OS, BackTrack-raw, PCLinuxOS, Peppermint OS 6, Kali Linux

and a custom Linux From Scratch server hosting a bunch of top secret stuff.


#7 JazeGrly

JazeGrly
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:28 AM

Posted 29 December 2004 - 07:41 PM

Hi...sorry it's taken so long to respond. Hectic holidays, and I hope yours were great for you!!
Below is the new log file. I hope that I have been following your directions correctly. I did not have any instructions on how to delete files or directories and have been doing that from the Windows Explorer. I hope this is right, please correct me if not. Thanks again for all your help!!

Logfile of HijackThis v1.99.0
Scan saved at 7:35:57 PM, on 12/29/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\IBMTOOLS\APTEZBTN\APTEZBP.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\CSAFE\AUTOCHK.EXE
C:\PROGRAM FILES\VISIONEER ONETOUCH\ONETOUCHMON.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\DLINK.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\PALM\HOTSYNC.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cox.net/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AEZBProc] c:\ibmtools\aptezbtn\aptezbp.exe
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [ConfigSafe] C:\CSAFE\AUTOCHK.EXE
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [NetworkSetup] c:\windows\DLink.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\SCANSOFT\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE (file missing)
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://wdownload.weatherbug.com/minibug/tr...uginstaller.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup145.cab

#8 JazeGrly

JazeGrly
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:28 AM

Posted 04 January 2005 - 07:17 AM

Hi, I know you are probaby real busy with other logs and I realize it took me a while to respond last time. Just checking in, not sure I'm all set here or not. The system seemed to be running fine for the most part at this time. Thanks for your time! ~Lisa




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users