Jump to content


Photo

HJT Log. Bett be answerd.


  • Please log in to reply
5 replies to this topic

#1 Flame060

Flame060

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 14 June 2004 - 09:46 PM

Tell me what to remove plz!
I'm begging you!
My computer goes at the speed of nothing!




Logfile of HijackThis v1.97.7
Scan saved at 10:40:20 PM, on 6/14/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\MESSENGER PLUS! 2\MSGPLUS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\WEBSHOTS\WEBSHOTSTRAY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
D:\NET BATTLE\POKEBATTLE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\NETBATTLE\FF\POKEBATTLE.EXE
D:\NET BATTLE\POKEBATTLE.EXE
D:\HIKACKTHIS\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/...//www.yahoo.com
F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\COMMON FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {C7262CFC-76A6-31B0-8F87-55F9541939BE} - C:\PROGRAM FILES\BAIT BOWS\DOWNLOAD MPEG.DLL (file missing)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\HIKACK~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [dlder] C:\WINDOWS\explorer\Explorer.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SYSUPD.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKCU\..\Run: [spywatch] C:\PROGRAM FILES\BULLETPROOFSOFT.COM\SPYWAREREMOVER\SpyWatch.exe /STARTUP
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Windows Media PowerPoint Helper.lnk = D:\Midea\Tools\nsppthlp.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .PDF: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = vaxxine.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 209.5.212.5

#2 Freecube

Freecube

    Member

  • Full Member
  • Pip
  • 42 posts

Posted 14 June 2004 - 11:39 PM

This is my friend's log, I've helped him all I can with it, but Im certain it needs more. His computer is horridly slow, and spyware just makes it worse. Bump it up.

#3 pfofit

pfofit

    It's raining spyware.

  • Trusted Advisor
  • PipPipPip
  • 171 posts

Posted 15 June 2004 - 12:07 AM

Hi there
Please place a check in the following entries and ensure all IE browsers and windows explorers are closed, then have hijack fix them:
O2 - BHO: (no name) - {C7262CFC-76A6-31B0-8F87-55F9541939BE} - C:\PROGRAM FILES\BAIT BOWS\DOWNLOAD MPEG.DLL (file missing)

O4 - HKLM\..\Run: [dlder] C:\WINDOWS\explorer\Explorer.exe
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SYSUPD.EXE
O4 - HKLM\..\RunServices: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKCU\..\Run: [spywatch] C:\PROGRAM FILES\BULLETPROOFSOFT.COM\SPYWAREREMOVER\SpyWatch.exe /STARTUP


Note: To avoid the risk of any files not being found due to some files being hidden, see Showing hidden files if needed.
Restart in Safe mode and
Select Start-> Settings-> Control panel-> add/remove and select and remove the following programs if present:
-bullet proof software spyware remover. It's a pirated rip off of adaware and causes more harm than good.
-MessengerPlus2

While still in safe mode, find and delete the following files/folders if they still exist:

:alarm: C:\WINDOWS\explorer\ Explorer.exe <--delete only this file
WARNING: only delete explorer.exe from the location specified

C:\WINDOWS\ SYSUPD.EXE <--delete only this file
C:\Program Files\Messenger Plus! 2 <--delete only this folder
C:\PROGRAM FILES\ BULLETPROOFSOFT.COM <--delete only this folder

Restart your system and do an online virus scan and delete anything it finds:
http://housecall.tre.../start_corp.asp

or/and Panda active scan
or/and etrust antivirus web scanner

Repost here with a new log from hijack.

Edited by pfofit, 15 June 2004 - 12:10 AM.


#4 Freecube

Freecube

    Member

  • Full Member
  • Pip
  • 42 posts

Posted 15 June 2004 - 12:29 AM

Flame's gone for today I think, but on behalf of him, thank you :) Im sure he'll follow through tommorow morning.

#5 Flame060

Flame060

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 15 June 2004 - 06:41 AM

Hey! Thanks Dude!
Nothing showed up at all while scanning!
And, IE seems to be running more smoothly, and acctually getting connected to the interent, thats going faster too! (for dial-up that is)

If you still wish for an updated HJT log, here ya go:



Logfile of HijackThis v1.97.7
Scan saved at 2:38:42 AM, on 6/15/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\WEBSHOTS\WEBSHOTSTRAY.EXE
D:\HIKACKTHIS\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/...//www.yahoo.com
F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\COMMON FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\HIKACK~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Windows Media PowerPoint Helper.lnk = D:\Midea\Tools\nsppthlp.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .PDF: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = vaxxine.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 209.5.212.5

#6 pfofit

pfofit

    It's raining spyware.

  • Trusted Advisor
  • PipPipPip
  • 171 posts

Posted 15 June 2004 - 10:00 AM

Ok flame
Things look better now.
Below is my standard speech and I will add that you are in need of a visit to windows updates. Go there and install all critical updates, especially SP1. You may need a couple of trips. Go back again and again until there are no more critical updates. It's the way MS does the updates.

I know that you are on dialup and the update is large, but without it you are vulnerable to more attacks.

You can order a free update disk from MS that covers up till february2004. Microsoft says it can take 2-4 weeks, however a lot can happen in that time. , or perhaps you know someone that already has it.

Also I do not see an Antivirus running in your processes. A free one from Grisoft is listed below.
--------------------------------------------------------------------------------------------------------------
Please read through the recommended ideas and free software listed below that will help to keep your computer from being reinfected
  • Do not let any site install anything if you do not know what it is.

  • Ensure that an Antivirus is updated weekly and running. AVG antivirus from Grisoft is a very good FREE antivirus program if you do not have one already.

  • Make sure you have the latest critical updates from windows update.

  • SpywareBlaster will prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.

  • IE-SPYAD puts over 4000 known 'bad' sites into your IE restricted zone so that they cannot install malware on your PC.

  • Google toolbar has a very good built in popup blocker with a nice search bar. To provide privacy, select disable advanced features when installing.

  • Check your system for latest virus definitions with an online virus scan
    Check your system for latest trojan definitions with an Online trojan scan

  • Spybot S&D 1.3 and/or Ad-aware 6 Free are excellent removal tools are are updated often.

  • And also see this link for additional security information.
    So how did I get infected in the first place?
pfofit




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button