Jump to content


Photo

Replicating home page problem


  • Please log in to reply
6 replies to this topic

#1 StrawbridgeAcres

StrawbridgeAcres

    Member

  • New Member
  • Pip
  • 4 posts

Posted 12 June 2004 - 05:31 PM

I appreciate any help you may be able to give me. I read your postings and hope I am following your instructions correctly. I cannot get to a site without my home page popping up over and over, then I get popups like a all yellow page with a big STOP sign on it, followed by a picture with an obvious link to a porn site. I do not and have never visited porn sites. I then get many popups, and the home page keeps coming up over and over and over.

I downloaded Ad-Aware, SpyBot, CWShredder, and HiJackThis. I ran Ad-Aware first, followed by SpyBot, followed by CWShredder (said my system was clean), and then HJT. Where possible I updated the application first before running. I am running Windows 98, I have Spy Sweeper and Zone Alarm installed and running when I attempt to use the internet, and the problem continues.

I am going from the computer via a LinkSys wireless card to a LinkSys router, that is cabled via usb to a Westell modum, that is connected to a phone line with DSL service.

Thanks for any help! Very much appreciate your taking time to help! The HJT log follows.

Logfile of HijackThis v1.97.7
Scan saved at 12:06:47 PM, on 6/12/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\WMPCI54G WLAN MONITOR\WMP54G.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\CISCO SYSTEMS\VPN CLIENT\CVPND.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\WINDOWS\STUTFIX.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEAUI.EXE
C:\COMPAQ\INTERNET\WATCHDOG.EXE
C:\WINDOWS\TEMP\JTY.EXE
C:\WINDOWS\MSCMGR.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\WINDOWS\SYSTEM\BWJFX8F.EXE
C:\PROGRAM FILES\COMPAQ\ON-SCREEN DISPLAY\OSD.EXE
C:\WINDOWS\SYSTEM\BWJFX8F.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presar...&s=search&i=enu
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.Lcom.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presar...&s=search&i=enu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presar...&s=search&i=enu
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.presar...&query=%s&i=enu
R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FB-EF60B19DB42E} - C:\PROGRA~1\SRNG\SNHELPER.DLL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Essdc] essdc.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [CPQSTUTFIX] C:\Windows\stutfix.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe /NORESTART
O4 - HKLM\..\Run: [CPQEASYACC] C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\Cpqeaui.exe
O4 - HKLM\..\Run: [Compaq Internet Setup] C:\Compaq\Internet\InetWizard.exe /RUN
O4 - HKLM\..\Run: [Watch Dog Program] C:\COMPAQ\INTERNET\WATCHDOG.EXE
O4 - HKLM\..\Run: [QuickenSEMessage] C:\QUICKENW\QSEMSG.EXE
O4 - HKLM\..\Run: [BillMinder] C:\QUICKENW\BILLMIND.EXE
O4 - HKLM\..\Run: [OEMCleanup] C:\WINDOWS\OPTIONS\OEMRESET.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Jty] C:\WINDOWS\TEMP\JTY.EXE
O4 - HKLM\..\Run: [MSN Manager] C:\WINDOWS\mscmgr.exe
O4 - HKLM\..\Run: [25R645#2#JERX9] C:\WINDOWS\SYSTEM\HnvnCv.exe
O4 - HKLM\..\Run: [pE9O37j] NCO0_32.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AutoLoaderptqy1JWjJJWO] "C:\WINDOWS\SYSTEM\NCO0_32.EXE" /PC="AM.WILD" /HideUninstall
O4 - HKLM\..\Run: [TV Media] C:\TV MEDIA\TVM.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [WMLAN54G.exe] C:\Program Files\WMPCI54G WLAN Monitor\WMP54G.exe
O4 - HKLM\..\RunServices: [CVPND] "C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe" start
O4 - HKLM\..\RunServices: [Installer] C:\WINDOWS\SYSTEM\WINST.EXE
O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
O4 - HKLM\..\RunOnce: [TV Media] C:\TV MEDIA\TVM.EXE
O4 - HKCU\..\RunOnce: [TV Media] C:\TV MEDIA\TVM.EXE
O8 - Extra context menu item: Send Image to Photo Library - file://C:\WINDOWS\Application Data\ROXIO\PhotoSuite4\Temp\ROXIO00000.html
O9 - Extra button: Net2Phone (HKLM)
O9 - Extra 'Tools' menuitem: Net2Phone (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#2 RealityChuck

RealityChuck

    Member

  • Retired Staff - Helper
  • Pip
  • 30 posts

Posted 12 June 2004 - 10:24 PM

There are several problems here, so let's take them one at a time.

First thing is to clean the Peper Trojan. You can find the tool at http://www.subratam.org/?page=removal Scroll Down to find the Peper Fix. Download the program and run it (you need to be connected to the Internet while doing this). Run it a second time to be sure.

Restart your computer and run another hijackthis log. Post it in this thread. I'll come by and go over what needs to be done next.

#3 StrawbridgeAcres

StrawbridgeAcres

    Member

  • New Member
  • Pip
  • 4 posts

Posted 13 June 2004 - 07:51 AM

Appreciate the Help! I downloaded Peper Fix and ran it. I then rebooted and ran it again. Then I ran HJT and have a new log shown below.

Logfile of HijackThis v1.97.7
Scan saved at 7:40:33 AM, on 6/13/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\WMPCI54G WLAN MONITOR\WMP54G.EXE
C:\PROGRAM FILES\CISCO SYSTEMS\VPN CLIENT\CVPND.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\WINDOWS\STUTFIX.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEAUI.EXE
C:\COMPAQ\INTERNET\WATCHDOG.EXE
C:\WINDOWS\TEMP\JTY.EXE
C:\WINDOWS\MSCMGR.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\COMPAQ\ON-SCREEN DISPLAY\OSD.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presar...&s=search&i=enu
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.Lcom.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presar...&s=search&i=enu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presar...&s=search&i=enu
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.presar...&query=%s&i=enu
R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\TV MEDIA\TvmBho.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FB-EF60B19DB42E} - C:\PROGRA~1\SRNG\SNHELPER.DLL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Essdc] essdc.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [CPQSTUTFIX] C:\Windows\stutfix.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe /NORESTART
O4 - HKLM\..\Run: [CPQEASYACC] C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\Cpqeaui.exe
O4 - HKLM\..\Run: [Compaq Internet Setup] C:\Compaq\Internet\InetWizard.exe /RUN
O4 - HKLM\..\Run: [Watch Dog Program] C:\COMPAQ\INTERNET\WATCHDOG.EXE
O4 - HKLM\..\Run: [QuickenSEMessage] C:\QUICKENW\QSEMSG.EXE
O4 - HKLM\..\Run: [BillMinder] C:\QUICKENW\BILLMIND.EXE
O4 - HKLM\..\Run: [OEMCleanup] C:\WINDOWS\OPTIONS\OEMRESET.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Jty] C:\WINDOWS\TEMP\JTY.EXE
O4 - HKLM\..\Run: [MSN Manager] C:\WINDOWS\mscmgr.exe
O4 - HKLM\..\Run: [25R645#2#JERX9] C:\WINDOWS\SYSTEM\Elq0h.exe
O4 - HKLM\..\Run: [pE9O37j] NCO0_32.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AutoLoaderptqy1JWjJJWO] "C:\WINDOWS\SYSTEM\NCO0_32.EXE" /PC="AM.WILD" /HideUninstall
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [WMLAN54G.exe] C:\Program Files\WMPCI54G WLAN Monitor\WMP54G.exe
O4 - HKLM\..\RunServices: [CVPND] "C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe" start
O4 - HKLM\..\RunServices: [Installer] C:\WINDOWS\SYSTEM\WINST.EXE
O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
O4 - HKLM\..\RunOnce: [TV Media] C:\TV MEDIA\TVM.EXE
O4 - HKCU\..\RunOnce: [TV Media] C:\TV MEDIA\TVM.EXE
O8 - Extra context menu item: Send Image to Photo Library - file://C:\WINDOWS\Application Data\ROXIO\PhotoSuite4\Temp\ROXIO00000.html
O9 - Extra button: Net2Phone (HKLM)
O9 - Extra 'Tools' menuitem: Net2Phone (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#4 StrawbridgeAcres

StrawbridgeAcres

    Member

  • New Member
  • Pip
  • 4 posts

Posted 13 June 2004 - 10:23 AM

I downloaded and ran Peper Fix, rebooted, then ran it again. On the second run, no items were found. I then ran HJT and the log file follows.

Logfile of HijackThis v1.97.7
Scan saved at 7:40:33 AM, on 6/13/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\WMPCI54G WLAN MONITOR\WMP54G.EXE
C:\PROGRAM FILES\CISCO SYSTEMS\VPN CLIENT\CVPND.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\WINDOWS\STUTFIX.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEAUI.EXE
C:\COMPAQ\INTERNET\WATCHDOG.EXE
C:\WINDOWS\TEMP\JTY.EXE
C:\WINDOWS\MSCMGR.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\COMPAQ\ON-SCREEN DISPLAY\OSD.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presar...&s=search&i=enu
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.Lcom.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presar...&s=search&i=enu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presar...&s=search&i=enu
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.presar...&query=%s&i=enu
R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\TV MEDIA\TvmBho.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FB-EF60B19DB42E} - C:\PROGRA~1\SRNG\SNHELPER.DLL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Essdc] essdc.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [CPQSTUTFIX] C:\Windows\stutfix.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe /NORESTART
O4 - HKLM\..\Run: [CPQEASYACC] C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\Cpqeaui.exe
O4 - HKLM\..\Run: [Compaq Internet Setup] C:\Compaq\Internet\InetWizard.exe /RUN
O4 - HKLM\..\Run: [Watch Dog Program] C:\COMPAQ\INTERNET\WATCHDOG.EXE
O4 - HKLM\..\Run: [QuickenSEMessage] C:\QUICKENW\QSEMSG.EXE
O4 - HKLM\..\Run: [BillMinder] C:\QUICKENW\BILLMIND.EXE
O4 - HKLM\..\Run: [OEMCleanup] C:\WINDOWS\OPTIONS\OEMRESET.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Jty] C:\WINDOWS\TEMP\JTY.EXE
O4 - HKLM\..\Run: [MSN Manager] C:\WINDOWS\mscmgr.exe
O4 - HKLM\..\Run: [25R645#2#JERX9] C:\WINDOWS\SYSTEM\Elq0h.exe
O4 - HKLM\..\Run: [pE9O37j] NCO0_32.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AutoLoaderptqy1JWjJJWO] "C:\WINDOWS\SYSTEM\NCO0_32.EXE" /PC="AM.WILD" /HideUninstall
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [WMLAN54G.exe] C:\Program Files\WMPCI54G WLAN Monitor\WMP54G.exe
O4 - HKLM\..\RunServices: [CVPND] "C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe" start
O4 - HKLM\..\RunServices: [Installer] C:\WINDOWS\SYSTEM\WINST.EXE
O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
O4 - HKLM\..\RunOnce: [TV Media] C:\TV MEDIA\TVM.EXE
O4 - HKCU\..\RunOnce: [TV Media] C:\TV MEDIA\TVM.EXE
O8 - Extra context menu item: Send Image to Photo Library - file://C:\WINDOWS\Application Data\ROXIO\PhotoSuite4\Temp\ROXIO00000.html
O9 - Extra button: Net2Phone (HKLM)
O9 - Extra 'Tools' menuitem: Net2Phone (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#5 RealityChuck

RealityChuck

    Member

  • Retired Staff - Helper
  • Pip
  • 30 posts

Posted 13 June 2004 - 11:21 AM

Good. Now, restart your computer in Safe Mode. To do this, either 1. hold down the Ctrl key or 2. press the F8 key (different versions of Win98 use different methods) until you see a black screen. Use the arrow keys to highlight "Safe Mode" and press Enter

With Internet Explorer closed, run Hijackthis again. Click on "scan" and put a check mark by the following items:

R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\TV MEDIA\TvmBho.dll
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FB-EF60B19DB42E} - C:\PROGRA~1\SRNG\SNHELPER.DLL (file missing)
O4 - HKLM\..\Run: [Jty] C:\WINDOWS\TEMP\JTY.EXE
O4 - HKLM\..\Run: [MSN Manager] C:\WINDOWS\mscmgr.exe
O4 - HKLM\..\Run: [25R645#2#JERX9] C:\WINDOWS\SYSTEM\Elq0h.exe
O4 - HKLM\..\Run: [pE9O37j] NCO0_32.EXE
O4 - HKLM\..\Run: [AutoLoaderptqy1JWjJJWO] "C:\WINDOWS\SYSTEM\NCO0_32.EXE" /PC="AM.WILD" /HideUninstall
O4 - HKLM\..\RunServices: [Installer] C:\WINDOWS\SYSTEM\WINST.EXE
O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\RunOnce: [TV Media] C:\TV MEDIA\TVM.EXE
O4 - HKCU\..\RunOnce: [TV Media] C:\TV MEDIA\TVM.EXE

Click on "Fix checked" and delete the items.

Next, search for the following and, if found, delete:

JTY.EXE
mscmgr.exe
Elq0h.exe
NCO0_32.EXE
WINST.EXE
"C:\Program Files\Common files\WinTools" folder
"C:\TV MEDIA" folder

Restart the computer. Test it out for a few minutes, then post the new hijackthis log.

#6 StrawbridgeAcres

StrawbridgeAcres

    Member

  • New Member
  • Pip
  • 4 posts

Posted 13 June 2004 - 01:03 PM

I followed all instructions above, then restarted the computer and went through several different web sites without ANY popups showing and the home page did not replicate itself even once! Thank you so very much!

I am nearing retirement, and greatly appreciate the help you have provided thus far. I would like to know what I would need to do in order to understand the logs from HiJackThis, and if I could possibly be a resource to help other people. I have worked with computers now for the past 30 years.

The new HiJackThis log follows.

Logfile of HijackThis v1.97.7
Scan saved at 12:59:19 PM, on 6/13/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\WMPCI54G WLAN MONITOR\WMP54G.EXE
C:\PROGRAM FILES\CISCO SYSTEMS\VPN CLIENT\CVPND.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\WINDOWS\STUTFIX.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEAUI.EXE
C:\COMPAQ\INTERNET\WATCHDOG.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\COMPAQ\ON-SCREEN DISPLAY\OSD.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presar...&s=search&i=enu
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.Lcom.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presar...&s=search&i=enu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presar...&s=search&i=enu
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.presar...&query=%s&i=enu
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Essdc] essdc.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [CPQSTUTFIX] C:\Windows\stutfix.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe /NORESTART
O4 - HKLM\..\Run: [CPQEASYACC] C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\Cpqeaui.exe
O4 - HKLM\..\Run: [Compaq Internet Setup] C:\Compaq\Internet\InetWizard.exe /RUN
O4 - HKLM\..\Run: [Watch Dog Program] C:\COMPAQ\INTERNET\WATCHDOG.EXE
O4 - HKLM\..\Run: [QuickenSEMessage] C:\QUICKENW\QSEMSG.EXE
O4 - HKLM\..\Run: [BillMinder] C:\QUICKENW\BILLMIND.EXE
O4 - HKLM\..\Run: [OEMCleanup] C:\WINDOWS\OPTIONS\OEMRESET.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [WMLAN54G.exe] C:\Program Files\WMPCI54G WLAN Monitor\WMP54G.exe
O4 - HKLM\..\RunServices: [CVPND] "C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe" start
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
O8 - Extra context menu item: Send Image to Photo Library - file://C:\WINDOWS\Application Data\ROXIO\PhotoSuite4\Temp\ROXIO00000.html
O9 - Extra button: Net2Phone (HKLM)
O9 - Extra 'Tools' menuitem: Net2Phone (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#7 RealityChuck

RealityChuck

    Member

  • Retired Staff - Helper
  • Pip
  • 30 posts

Posted 14 June 2004 - 08:52 AM

It seems OK to me.

If you're interested in getting involved, there are general instructions on Hijackthis at http://www.spywarein...ogtutorial.html There is also a very good tutorial on Hijackthis at Bleeping Computer.

If you feel you want to work on becoming a Helper here, go to http://www.spywarein...hp?showtopic=34 and ask to join the Boot Camp.

30 years, huh? I've been doing it for twenty. It's nice to show the young folk that us old guys can keep up. :D




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button