Jump to content


Photo

hijack log, thanks


  • Please log in to reply
4 replies to this topic

#1 tarpaulin

tarpaulin

    Member

  • New Member
  • Pip
  • 3 posts

Posted 11 June 2004 - 07:36 PM

hi all!
my homepage had been hijacked earlier today by the notorious coolwebsearch trojan so i downloaded and ran CWShredder. it has been seemingly successful in that my homepage is no longer hijacked, thankfully. however, i think i still may have some kind of virus because C:\WINDOWS\dl.html, whatever that is, attempts to load everytime i start my computer and every once in a while while i'm on the net. i've tried deleting the file (C:\WINDOWS\dl.html) from my windows folder, but it always seems to come back whenever i restart or shut-off my computer. any help or remedies on getting rid of this nuisance would be greatly appreciated. heres my hijackthis log:

Logfile of HijackThis v1.97.7
Scan saved at 4:53:19 PM, on 6/11/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM32\WINTIME.EXE
C:\PROGRAM FILES\AIM95\AIM.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\AMERICA ONLINE 6.0\AOLTRAY.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Users System] C:\WINDOWS\svchost.exe
O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Users System] C:\WINDOWS\svchost.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Users System] C:\WINDOWS\svchost.exe
O4 - HKCU\..\RunServices: [Users System] C:\WINDOWS\svchost.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: America Online 6.0 Tray Icon.lnk = C:\America Online 6.0\aoltray.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Literati - http://download.game...nts/y/tt2_x.cab

#2 tarpaulin

tarpaulin

    Member

  • New Member
  • Pip
  • 3 posts

Posted 20 June 2004 - 05:47 PM

please help me!













who wants a pineapple lifesaver?

#3 The Spie

The Spie

    Member

  • Retired Staff - Helper
  • Pip
  • 68 posts

Posted 20 June 2004 - 05:54 PM

tarpaulin:

Please run another HijackThis! log. There are numerous missing entries in yours. Without a complete HijackThis! log, we can't help you.

#4 tarpaulin

tarpaulin

    Member

  • New Member
  • Pip
  • 3 posts

Posted 20 June 2004 - 11:28 PM

whoops! sorry, i dont know what could have went wrong with that first log. heres the thing it may be though: since i started trying to rid my computer of its virus', everything appears to be similar to a safemode state. i mean the display property settings will only let me choose from either 2 or 16 colors and the screen area is stuck at 640 by 480. its very weird. anyway, heres the new log:
Logfile of HijackThis v1.97.7
Scan saved at 8:58:52 PM, on 6/20/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM32\WINTIME.EXE
C:\PROGRAM FILES\AIM95\AIM.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\AMERICA ONLINE 6.0\AOLTRAY.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\AMERICA ONLINE 6.0\WAOL.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: America Online 6.0 Tray Icon.lnk = C:\America Online 6.0\aoltray.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Literati - http://download.game...nts/y/tt2_x.cab

#5 The Spie

The Spie

    Member

  • Retired Staff - Helper
  • Pip
  • 68 posts

Posted 21 June 2004 - 03:01 PM

tarpaulin:

It looks like you're actually in Safe Mode. There are a lot of entries that should be showing up in a HijackThis! log that aren't (like your start pages and default search engine). Have you tried reinstalling your video drivers? That might help kick it out of this pseudo-Safe Mode that you're in.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button