Jump to content


Photo

Multiple Hijacker Help2


  • This topic is locked This topic is locked
6 replies to this topic

#1 JWB178

JWB178

    Member

  • Full Member
  • Pip
  • 3 posts

Posted 15 May 2004 - 08:38 PM

Hi
I wasnt sure if you wanted a fresh log for both HijackThis and Ad-aware so Im just going to post them both. Thanks.

Logfile of HijackThis v1.97.7
Scan saved at 9:10:18 PM, on 5/15/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MSGLOOP.EXE
C:\WINDOWS\SYSTEM\MSG32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\AOL COMPANION\COMPANION.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\SCTHEMES\SCTHEMES.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0B\AOL.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0B\WAOL.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\PRIVACYERASER COMPUTING\PRIVACY ERASER PRO\PRIVACYERASER.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\PROGRAM FILES\DAP\DAPBHO.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LexStart] lexstart.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - HKCU\..\RunServices: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: ScreenThemes.lnk = C:\scthemes\scthemes.exe
O4 - Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0b\aoltray.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Run DAP (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} - http://aol.ea.com/do...py/iesnoopy.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft...tail/DASAct.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7752.1399074074
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weat...Transporter.cab?
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot....ownload/kdx.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredim...er/imloader.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.frightmis...sCamControl.ocx
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://content.ances...ll/MFImgVwr.cab
O16 - DPF: Tri-Peaks by pogo - http://peaks.pogo.co...s-ob-assets.cab
O16 - DPF: Fortune Bingo by pogo - http://superbingo.po...o-ob-assets.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net


Lavasoft Ad-aware Personal Build 6.181
Logfile created on :Saturday, May 15, 2004 8:50:58 PM
Created with Ad-aware Personal, free for private use.
Using reference-file :01R303 08.05.2004
______________________________________________________

Reffile status:
=========================
Reference file loaded:
Reference Number : 01R303 08.05.2004
Internal build : 235
File location : C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\reflist.ref
Total size : 1096786 Bytes
Signature data size : 1078166 Bytes
Reference data size : 18556 Bytes
Signatures total : 24182
Target categories : 10
Target families : 463

Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium III
Memory available:0 %
Total physical memory:97736 kb
Available physical memory:5864 kb
Total page file size:1999412 kb
Available on page file:1858136 kb
Total virtual memory:2093056 kb
Available virtual memory:2030336 kb
OS:Windows (ME)

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-aware Settings
=========================
Set : Unload recognized processes during scanning
Set : Include basic Ad-aware settings in logfile
Set : Include additional Ad-aware settings in logfile
Set : Let windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Always back up reference file, before updating
Set : Play sound if scan produced a result


5-15-2004 8:50:59 PM - Scan started. (Smart mode)

Listing running processes
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

#:1 [kernel32.dll]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4293901711
Threads : 7
Priority : High
FileSize : 524 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright © Microsoft Corp. 1991-2000
CompanyName : Microsoft Corporation
FileDescription : Win32 Kernel core component
InternalName : KERNEL32
OriginalFilename : KERNEL32.DLL
ProductName : Microsoft® Windows® Millennium Operating System
Created on : 1/1/1601
Last accessed : 5/15/2004 4:00:00 AM
Last modified : 6/8/2000 9:00:00 PM

#:2 [msgsrv32.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294965095
Threads : 1
Priority : Normal
FileSize : 11 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright © Microsoft Corp. 1992-1998
CompanyName : Microsoft Corporation
FileDescription : Windows 32-bit VxD Message Server
InternalName : MSGSRV32
OriginalFilename : MSGSRV32.EXE
ProductName : Microsoft® Windows® Millennium Operating System
Created on : 1/1/1601
Last accessed : 5/15/2004 4:00:00 AM
Last modified : 6/8/2000 9:00:00 PM

#:3 [msgloop.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294842371
Threads : 1
Priority : Normal
FileSize : 5 KB
FileVersion : 4.05.00.2112
ProductVersion : 4.05.00.2112
Copyright : Copyright © Conexant Corporation 1996-1998.
CompanyName : Conexant Corporation
FileDescription : Conexant WaveStream Message Server
InternalName : MSGLOOP.EXE
OriginalFilename : MSGLOOP.EXE
ProductName : WaveStream\Endless Wave
Created on : 11/16/2001 12:40:17 PM
Last accessed : 5/15/2004 4:00:00 AM
Last modified : 2/16/2000 8:37:32 PM

#:4 [msg32.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294863311
Threads : 1
Priority : Realtime
FileSize : 16 KB
FileVersion : 4.05.00.2112
ProductVersion : 4.05.00.2112
Copyright : Copyright
CompanyName : Conexant Corporation
FileDescription : Conexant WaveStream Message Server
InternalName : MSG32.EXE
OriginalFilename : MSG32.EXE
ProductName : WaveStream\Endless Wave
Created on : 11/16/2001 12:40:17 PM
Last accessed : 5/15/2004 4:00:00 AM
Last modified : 2/16/2000 8:39:40 PM

#:5 [mmtask.tsk]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294863611
Threads : 1
Priority : Normal
FileSize : 1 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright
CompanyName : Microsoft Corporation
FileDescription : Multimedia background task support module
InternalName : mmtask.tsk
OriginalFilename : mmtask.tsk
ProductName : Microsoft Windows
Created on : 1/1/1601
Last accessed : 5/15/2004 4:00:00 AM
Last modified : 6/8/2000 9:00:00 PM

#:6 [mprexe.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294867099
Threads : 1
Priority : Normal
FileSize : 28 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright © Microsoft Corp. 1993-2000
CompanyName : Microsoft Corporation
FileDescription : WIN32 Network Interface Service Process
InternalName : MPREXE
OriginalFilename : MPREXE.EXE
ProductName : Microsoft® Windows® Millennium Operating System
Created on : 1/1/1601
Last accessed : 5/15/2004 4:00:00 AM
Last modified : 6/8/2000 9:00:00 PM

#:7 [mstask.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294857499
Threads : 2
Priority : Normal
FileSize : 124 KB
FileVersion : 4.71.2721.1
ProductVersion : 4.71.2721.1
Copyright : Copyright © Microsoft Corp. 2000
CompanyName : Microsoft Corporation
FileDescription : Task Scheduler Engine
InternalName : TaskScheduler
OriginalFilename : mstask.exe
ProductName : Microsoft
Created on : 1/1/1601
Last accessed : 5/15/2004 4:00:00 AM
Last modified : 6/8/2000 9:00:00 PM

#:8 [smc.exe]
FilePath : C:\PROGRAM FILES\SYGATE\SPF\
ProcessID : 4294898195
Threads : 18
Priority : Normal
FileSize : 2289 KB
FileVersion : 5.5.00.2525
ProductVersion : 5.5.00.2525
Copyright : Copyright
CompanyName : Sygate Technologies, Inc.
FileDescription : Sygate Agent Firewall
InternalName : Smc
OriginalFilename : Smc.EXE
ProductName : Sygate
Created on : 12/24/2003 6:44:56 PM
Last accessed : 5/15/2004 4:00:00 AM
Last modified : 12/24/2003 6:44:56 PM

#:9 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 4294818979
Threads : 19
Priority : Normal
FileSize : 220 KB
FileVersion : 5.50.4134.100
ProductVersion : 5.50.4134.100
Copyright : Copyright © Microsoft Corp. 1981-2000
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft® Windows ® 2000 Operating System
Created on : 6/8/2000 9:00:00 PM
Last accessed : 5/15/2004 4:00:00 AM
Last modified : 6/8/2000 9:00:00 PM

#:10 [stmgr.exe]
FilePath : C:\WINDOWS\SYSTEM\RESTORE\
ProcessID : 4294725227
Threads : 4
Priority : Normal
FileSize : 60 KB
FileVersion : 4.90.0.2533
ProductVersion : 4.90.0.2533
Copyright : Copyright © Microsoft Corp. 1981-2000
CompanyName : Microsoft Corporation
FileDescription : Microsoft ® PC State Manager
InternalName : StateMgr.exe
OriginalFilename : StateMgr.exe
ProductName : Microsoft ® PCHealth
Created on : 1/1/1601
Last accessed : 5/15/2004 4:00:00 AM
Last modified : 6/8/2000 9:00:00 PM

#:11 [systray.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294877591
Threads : 2
Priority : Normal
FileSize : 36 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright © Microsoft Corp. 1993-2000
CompanyName : Microsoft Corporation
FileDescription : System Tray Applet
InternalName : SYSTRAY
OriginalFilename : SYSTRAY.EXE
ProductName : Microsoft® Windows® Millennium Operating System
Created on : 1/1/1601
Last accessed : 5/15/2004 4:00:00 AM
Last modified : 6/8/2000 9:00:00 PM

#:12 [taskmon.exe]
FilePath : C:\WINDOWS\
ProcessID : 4294763331
Threads : 1
Priority : Normal
FileSize : 28 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright © Microsoft Corp. 1998
CompanyName : Microsoft Corporation
FileDescription : Task Monitor
InternalName : TaskMon
OriginalFilename : TASKMON.EXE
ProductName : Microsoft® Windows® Millennium Operating System
Created on : 1/1/1601
Last accessed : 5/15/2004 4:00:00 AM
Last modified : 6/8/2000 9:00:00 PM

#:13 [avgcc32.exe]
FilePath : C:\PROGRAM FILES\GRISOFT\AVG6\
ProcessID : 4294671151
Threads : 1
Priority : Normal
FileSize : 396 KB
FileVersion : 6, 0, 0, 427
ProductVersion : 6, 0, 0, 0
Copyright : Copyright
CompanyName : GRISOFT s.r.o.
FileDescription : AVG Control Center
InternalName : AvgCC32
OriginalFilename : AvgCC32.EXE
ProductName : AVG Anti-Virus System
Created on : 4/13/2003 11:01:16 AM
Last accessed : 5/15/2004 4:00:00 AM
Last modified : 4/13/2003 11:01:18 AM

#:14 [internat.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294660447
Threads : 1
Priority : Normal
FileSize : 48 KB
FileVersion : 4.90.1000.0
ProductVersion : 4.90.1000.0
Copyright : Copyright © Microsoft Corp. 1981-2000
CompanyName : Microsoft Corporation
FileDescription : Internat
InternalName : Internat - exe
OriginalFilename : INTERNAT.EXE
ProductName : Microsoft® Windows NT® Operating System
Created on : 1/1/1601
Last accessed : 5/15/2004 4:00:00 AM
Last modified : 6/8/2000 9:00:00 PM

#:15 [winampa.exe]
FilePath : C:\PROGRAM FILES\WINAMP\
ProcessID : 4294689491
Threads : 1
Priority : Normal
FileSize : 33 KB
Created on : 12/13/2003 12:50:34 AM
Last accessed : 5/15/2004 4:00:00 AM
Last modified : 12/13/2003 12:50:34 AM

#:16 [realsched.exe]
FilePath : C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\
ProcessID : 4294755263
Threads : 2
Priority : Normal
FileSize : 176 KB
FileVersion : 0.1.0.3034
ProductVersion : 0.1.0.3034
Copyright : Copyright
CompanyName : RealNetworks, Inc.
FileDescription : RealNetworks Scheduler
InternalName : schedapp
OriginalFilename : realsched.exe
ProductName : RealPlayer (32-bit)
Created on : 5/13/2004 10:50:25 PM
Last accessed : 5/15/2004 4:00:00 AM
Last modified : 5/13/2004 10:50:26 PM

#:17 [weather.exe]
FilePath : C:\PROGRAM FILES\AWS\WEATHERBUG\
ProcessID : 4294587747
Threads : 1
Priority : Normal
FileSize : 808 KB
FileVersion : 5, 0, 0, 5
ProductVersion : 5, 0, 0, 5
Copyright : Copyright
CompanyName : AWS Convergence Technologies, Inc.
FileDescription : WeatherBug
InternalName : Desktop Weather
OriginalFilename : WeatherBug.exe
ProductName : AWS, Inc.WeatherBug
Created on : 9/18/2003 8:10:53 AM
Last accessed : 5/15/2004 4:00:00 AM
Last modified : 4/25/2003 6:38:08 PM

#:18 [lexbces.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294605571
Threads : 8
Priority : Normal
FileSize : 296 KB
FileVersion : 8.16
ProductVersion : 8.16
Copyright : © 1993 - 2003 Lexmark International, Inc.
CompanyName : Lexmark International, Inc.
FileDescription : LexBce Service
InternalName : LexBce Service
OriginalFilename : LexBceS.exe
ProductName : MarkVision for Windows (32 bit)
Created on : 5/3/2004 4:35:32 PM
Last accessed : 5/15/2004 4:00:00 AM
Last modified : 2/28/2003 5:28:34 AM

#:19 [companion.exe]
FilePath : C:\PROGRAM FILES\AOL COMPANION\
ProcessID : 4294610271
Threads : 5
Priority : Normal
FileSize : 212 KB
FileVersion : 1, 0, 120, 1
ProductVersion : 1, 0, 120, 1
Copyright : Copyright 2002
CompanyName : Copyright 2002
FileDescription : Companion Module
InternalName : Companion
OriginalFilename : Companion.EXE
ProductName : Companion Module
Created on : 4/22/2003 8:21:38 PM
Last accessed : 5/15/2004 4:00:00 AM
Last modified : 10/15/2002 7:33:06 PM

#:20 [rpcss.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294596775
Threads : 5
Priority : Normal
FileSize : 20 KB
FileVersion : 4.71.3328
ProductVersion : 4.71.3328
Copyright : Copyright © Microsoft Corp. 1981-1998
CompanyName : Microsoft Corporation
FileDescription : Distributed COM Services
InternalName : rpcss.exe
OriginalFilename : rpcss.exe
ProductName : Microsoft® Windows NT™ Operating System
Created on : 1/1/1601
Last accessed : 5/15/2004 4:00:00 AM
Last modified : 6/8/2000 9:00:00 PM

#:21 [wmiexe.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294624107
Threads : 3
Priority : Normal
FileSize : 16 KB
FileVersion : 4.90.2452.1
ProductVersion : 4.90.2452.1
Copyright : Copyright © Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : WMI service exe housing
InternalName : wmiexe
OriginalFilename : wmiexe.exe
ProductName : Microsoft® Windows® Millennium Operating System
Created on : 1/1/1601
Last accessed : 5/15/2004 4:00:00 AM
Last modified : 6/8/2000 9:00:00 PM

#:22 [ddhelp.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294515607
Threads : 6
Priority : Realtime
FileSize : 31 KB
FileVersion : 4.08.01.0881
ProductVersion : 4.08.01.0881
Copyright : Copyright
CompanyName : Microsoft Corporation
FileDescription : Microsoft DirectX Helper
InternalName : DDHelp.exe
OriginalFilename : DDHelp.exe
ProductName : Microsoft
Created on : 9/1/2002 4:37:29 PM
Last accessed : 5/15/2004 4:00:00 AM
Last modified : 5/1/2002 10:51:36 PM

#:23 [wzqkpick.exe]
FilePath : C:\PROGRAM FILES\WINZIP\
ProcessID : 4294512655
Threads : 1
Priority : Normal
FileSize : 116 KB
FileVersion : 1.0 (32-bit)
ProductVersion : 9.0 (6028)
Copyright : Copyright © WinZip Computing, Inc. 1991-2004 - All Rights Reserved
CompanyName : WinZip Computing, Inc.
FileDescription : WinZip Executable
InternalName : WZQKPICK.EXE
OriginalFilename : WZQKPICK.EXE
ProductName : WinZip
Created on : 8/19/2002 2:03:52 AM
Last accessed : 5/15/2004 4:00:00 AM
Last modified : 2/11/2004 1:00:00 PM

#:24 [scthemes.exe]
FilePath : C:\SCTHEMES\
ProcessID : 4294521403
Threads : 1
Priority : Normal
FileSize : 236 KB
FileVersion : 2, 22, 3, 0
ProductVersion : 2, 22, 3, 0
Copyright : Copyright © 1997-2003 by Vision X Software, Inc. All Rights Reserved.
CompanyName : Vision X Software, Inc.
FileDescription : ScreenThemes Application
InternalName : scthemes
OriginalFilename : scthemes.exe
ProductName : ScreenThemes
Created on : 5/10/2003 9:49:31 AM
Last accessed : 5/15/2004 4:00:00 AM
Last modified : 2/25/2003 6:00:52 PM

#:25 [lexpps.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294657307
Threads : 10
Priority : Normal
FileSize : 170 KB
FileVersion : 8.16
ProductVersion : 8.16
Copyright : © 1993 - 2003 Lexmark International, Inc.
CompanyName : Lexmark International, Inc.
FileDescription : LEXPPS.EXE
InternalName : LEXPPS
OriginalFilename : LEXPPS.EXE
ProductName : MarkVision for Windows (32 bit)
Created on : 5/3/2004 4:35:38 PM
Last accessed : 5/15/2004 4:00:00 AM
Last modified : 2/28/2003 5:26:00 AM

#:26 [stimon.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4293337371
Threads : 5
Priority : Normal
FileSize : 27 KB
FileVersion : 4.90.3000.1
ProductVersion : 4.90.3000.1
Copyright : Copyright © Microsoft Corp. 1981-2000
CompanyName : Microsoft Corporation
FileDescription : Still Image Devices Monitor
InternalName : STIMON
OriginalFilename : STIMON.EXE
ProductName : Microsoft® Windows® Millennium Operating System
Created on : 1/1/1601
Last accessed : 5/15/2004 4:00:00 AM
Last modified : 6/8/2000 9:00:00 PM

#:27 [aol.exe]
FilePath : C:\PROGRAM FILES\AMERICA ONLINE 8.0B\
ProcessID : 4294593603
Threads : 1
Priority : Normal
FileSize : 44 KB
FileVersion : 8.00.000
ProductVersion : 8.00.000
Copyright : Copyright © America Online, Inc. 1999 - 2002
CompanyName : America Online, Inc.
FileDescription : America Online
InternalName : AOL
OriginalFilename : AOL
ProductName : America Online
Created on : 4/22/2003 8:19:12 PM
Last accessed : 5/15/2004 4:00:00 AM
Last modified : 10/15/2002 8:45:08 PM

#:28 [waol.exe]
FilePath : C:\PROGRAM FILES\AMERICA ONLINE 8.0B\
ProcessID : 4294646527
Threads : 15
Priority : Normal
FileSize : 228 KB
FileVersion : 8.00.000
ProductVersion : 8.00.000
Copyright : Copyright © America Online, Inc. 1999 - 2002
CompanyName : America Online, Inc.
FileDescription : AOL
InternalName : WAOL
OriginalFilename : WAOL
ProductName : America Online
Created on : 4/22/2003 8:19:12 PM
Last accessed : 5/15/2004 4:00:00 AM
Last modified : 10/15/2002 8:45:10 PM

#:29 [spool32.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4293347679
Threads : 5
Priority : Normal
FileSize : 44 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright © Microsoft Corp. 1994 - 1998
CompanyName : Microsoft Corporation
FileDescription : Spooler Sub System Process
InternalName : spool32
OriginalFilename : spool32.exe
ProductName : Microsoft® Windows® Millennium Operating System
Created on : 1/1/1601
Last accessed : 5/15/2004 4:00:00 AM
Last modified : 6/8/2000 9:00:00 PM

#:30 [rnaapp.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4293231279
Threads : 4
Priority : Normal
FileSize : 56 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright © Microsoft Corp. 1992-1996
CompanyName : Microsoft Corporation
FileDescription : Dial-Up Networking Application
InternalName : RNAAPP
OriginalFilename : RNAAPP.EXE
ProductName : Microsoft® Windows® Millennium Operating System
Created on : 1/1/1601
Last accessed : 5/15/2004 4:00:00 AM
Last modified : 6/8/2000 9:00:00 PM

#:31 [tapisrv.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4293259027
Threads : 6
Priority : Normal
FileSize : 120 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright © Microsoft Corp. 1994-1998
CompanyName : Microsoft Corporation
FileDescription : Microsoft
InternalName : Telephony Service
OriginalFilename : TAPISRV.EXE
ProductName : Microsoft® Windows® Millennium Operating System
Created on : 1/1/1601
Last accessed : 5/15/2004 4:00:00 AM
Last modified : 6/8/2000 9:00:00 PM

#:32 [ad-aware.exe]
FilePath : C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\
ProcessID : 4293175279
Threads : 2
Priority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 10/20/2003 7:57:22 AM
Last accessed : 5/15/2004 4:00:00 AM
Last modified : 7/13/2003 2:00:20 AM

Memory scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 0


Started registry scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

Registry scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 0


Started deep registry scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Pageabout:blank

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "about:blank"
Category : Data Miner
Comment : Possible browser hijack attempt
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "about:blank"

Possible browser hijack attempt : .Default\Software\Microsoft\Internet Explorer\MainStart Pageabout:blank

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "about:blank"
Category : Data Miner
Comment : Possible browser hijack attempt
Rootkey : HKEY_USERS
Object : .Default\Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "about:blank"


Deep registry scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 2
Objects found so far: 2


ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ


Deep scanning and examining files (C:)
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ


Scanning Hosts file(C:\WINDOWS\hosts)
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

Hosts file scan result:
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
0 entries scanned.
New objects :0
Objects found so far: 2




Performing conditional scans..
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

Conditional scan result:
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 2


8:56:56 PM Scan complete

Summary of this scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Total scanning time :00:05:57:290
Objects scanned :38311
Objects identified :2
Objects ignored :0
New objects :2

#2 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 16 May 2004 - 06:09 AM

Hi,
Your log looks clean ... are you still having some kind of problem?
If so please explain in detail (error messages, etc.)
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#3 JWB178

JWB178

    Member

  • Full Member
  • Pip
  • 3 posts

Posted 17 May 2004 - 08:18 PM

Hi
Well the Internet Explorer start page is still being set to msn.com sometimes when I open IE (I have it set to the blank page under the Internet Options). Also, my "Reset Web Settings" option is still missing in the IE menu.

Also, Im not sure the browser hijacker is completely removed.

I just ran Ad-aware and it found:

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Pageabout:blank

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "about:blank"
Category : Data Miner
Comment : Possible browser hijack attempt
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "about:blank"

Possible browser hijack attempt : .Default\Software\Microsoft\Internet Explorer\MainStart Pageabout:blank

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "about:blank"
Category : Data Miner
Comment : Possible browser hijack attempt
Rootkey : HKEY_USERS
Object : .Default\Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "about:blank"

Here is my most recent HijackThis log:

Logfile of HijackThis v1.97.7
Scan saved at 9:19:39 PM, on 5/17/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\MSGLOOP.EXE
C:\WINDOWS\SYSTEM\MSG32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\AOL COMPANION\COMPANION.EXE
C:\SCTHEMES\SCTHEMES.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0A\AOLTRAY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0A\WAOL.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0A\SHELLMON.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LexStart] lexstart.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Startup: ScreenThemes.lnk = C:\scthemes\scthemes.exe
O4 - Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0a\aoltray.exe
O4 - Startup: Drempels Desktop.lnk = C:\WINDOWS\drempels.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: AOL Toolbar (HKLM)
O9 - Extra 'Tools' menuitem: AOL Toolbar (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft...tail/DASAct.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7752.1399074074
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weat...Transporter.cab?
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot....ownload/kdx.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredim...er/imloader.cab
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://content.ances...ll/MFImgVwr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net

#4 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 17 May 2004 - 09:46 PM

Hi,
The "About:Blank" detection by Ad-Aware is a false flag if you set it that way. If you change it to something else and run AWW you should not see that detection.

Also, my "Reset Web Settings" option is still missing

Internet Options | Programs [tab]
Is it missing or is the button "grayed-out" (disabled)

Have HijackThis "fix" the following:

R3 - Default URLSearchHook is missing


Reboot ...

Note: if\when the "Start Page" gets reset to MSN, do not run Ad-Aware, just post a fresh log ...
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#5 JWB178

JWB178

    Member

  • Full Member
  • Pip
  • 3 posts

Posted 20 May 2004 - 03:34 AM

Hi
Thanks. I set the IE Home page to google.com and then ran Ad-aware again. This time it didnt detect any browser hijack attempt. After I had HijackThis fix the DefaultURLSearchHook, it was restored to msn.com.
The Reset Web Settings is there (where you said) and fully functional. I could have sworn it was also on the Tools Menu on Internet Explorer, right where Internet Options is. Maybe its not, but thats where I thought it was missing.
One other thing: Trend Micro online virus scan found ADW_RULEDOR.C in my memory which is adware. I cant locate it anywhere on my computer and the free virus scanner couldnt remove it. At the site it says the risk for it is very low. Is it anything to be concerned over or something I should just ignore?
Thanks again.

#6 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 20 May 2004 - 06:09 AM

JWB178,
You're welcome ... glad to see you have resolved your problem.

Trend Micro online virus scan found ADW_RULEDOR.C

Most likely it's either in your browser cache (files) or in "System Restore"

For the browser cache:
How To: Delete the Internet Explorer Temporary Internet Files
http://www.mvps.org/...02/delcache.htm

For System Restore: (see: "How To" below)
Basically turn off "System Restore" and reboot.
Run a full system (AV) scan, and turn on "System Restore"
Then create a new "Restore Point".

I would suggest adding some "Defense" to your system ...
See section: How To: Prevent this from happening again?
http://www.mvps.org/...02/unwanted.htm
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#7 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 05 October 2004 - 09:08 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button