Jump to content


Photo

pc troubleshooting


  • This topic is locked This topic is locked
7 replies to this topic

#1 eagleal

eagleal

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 07 September 2005 - 08:08 AM

Some one please help, when i save my hijack log and then try too open it , it doesn,t open, a window keeps coming up asking if i want to save the log or open all the time ,so i can,t read it. this is my first time on the forum. don,t know if i am doing this correct.
Regards Eagleal

#2 eagleal

eagleal

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 08 September 2005 - 10:58 AM

I have some how now being able to open my hijack list and save it , by saving it in another name such as "tosh "or "rubbish", so can anybody please check my hijack list and startup list to see if there is anything wrong.
regards eagleal :rolleyes:


Logfile of HijackThis v1.99.1
Scan saved at 19:38:48, on 07/09/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MEDIACTR.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\AHEAD\NERO PHOTOSHOW\DATA\XTRAS\MSSYSMGR.EXE
C:\PROGRAM FILES\SAGEM\SAGEM F@ST 800-840\DSLMON.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRA~1\NETROPA\ONSCRE~1\OSD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [KBD MediaCenter] C:\Program Files\Netropa\Multimedia Keyboard\MediaCtr.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\AHEAD\NEROPH~2\DATA\XTRAS\MSSYSMGR.EXE
O4 - HKCU\..\RunServices: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\AHEAD\NEROPH~2\DATA\XTRAS\MSSYSMGR.EXE
O4 - Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
StartupList report, 07/09/05, 19:40:10
StartupList version: 1.52
Started from : C:\WINDOWS\TEMP\STARTUPLIST.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MEDIACTR.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\AHEAD\NERO PHOTOSHOW\DATA\XTRAS\MSSYSMGR.EXE
C:\PROGRAM FILES\SAGEM\SAGEM F@ST 800-840\DSLMON.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRA~1\NETROPA\ONSCRE~1\OSD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\TEMP\STARTUPLIST.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SystemTray = SysTray.Exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
KBD MediaCenter = C:\Program Files\Netropa\Multimedia Keyboard\MediaCtr.exe
LoadQM = loadqm.exe
EnsoniqMixer = starter.exe
Zone Labs Client = C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
AVG7_EMC = C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
QuickTime Task = "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

PhotoShow Deluxe Media Manager = C:\PROGRA~1\AHEAD\NEROPH~2\DATA\XTRAS\MSSYSMGR.EXE

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll power.drv

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 6/9/2005, 20:30:46)

[rename]
C:\PROGRA~1\GRISOFT\AVGFRE~1\AVG.EXE=C:\WINDOWS\ALLUSE~1\APPLIC~1\GRISOFT\AVG7DATA\AVG7UPD\INSTALL.1\AVG.EXE
C:\PROGRA~1\GRISOFT\AVGFRE~1\AVG7CORE.VXD=C:\WINDOWS\ALLUSE~1\APPLIC~1\GRISOFT\AVG7DATA\AVG7UPD\INSTALL.1\AVG7CORE.VXD
C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCORE.DLL=C:\WINDOWS\ALLUSE~1\APPLIC~1\GRISOFT\AVG7DATA\AVG7UPD\INSTALL.1\AVGCORE.DLL
C:\PROGRA~1\GRISOFT\AVGFRE~1\MICROAVI.AVG=C:\WINDOWS\ALLUSE~1\APPLIC~1\GRISOFT\AVG7DATA\AVG7UPD\INSTALL.1\MICROAVI.AVG
C:\PROGRA~1\GRISOFT\AVGFRE~1\UPD_VERS.CFG=C:\WINDOWS\ALLUSE~1\APPLIC~1\GRISOFT\AVG7DATA\AVG7UPD\INSTALL.1\UPD_VERS.CFG
C:\WINDOWS\SYSTEM32\DRIVERS\AVG7CORE.SYS=C:\WINDOWS\ALLUSE~1\APPLIC~1\GRISOFT\AVG7DATA\AVG7UPD\INSTALL.1\AVG7CORE.SYS
C:\PROGRA~1\GRISOFT\AVGFRE~1\INCAVI.AVM=C:\WINDOWS\ALLUSE~1\APPLIC~1\GRISOFT\AVG7DATA\AVG7UPD\INSTALL.1\INCAVI.AVM
NUL=C:\PROGRA~1\GRISOFT\AVGFRE~1\WAIT4SD
NUL=C:\WINDOWS\ALLUSE~1\APPLIC~1\GRISOFT\AVG7DATA\AVG7UPD\INSTALL.1\U-FWD.IDX

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

SET BLASTER=A220 I5 D1 T2
SET SNDSCAPE=C:\WINDOWS

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job
Symantec NetDetect.job
Maintenance-Defragment programs.job
Maintenance-ScanDisk.job
Maintenance-Disk cleanup.job

--------------------------------------------------

Enumerating Download Program Files:

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupd...B?1076770604130

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macr...ash/swflash.cab

[Symantec RuFSI Registry Information Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\RUFSI.DLL
CODEBASE = http://security.syma...n/bin/cabsa.cab

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\OPUC.DLL
CODEBASE = http://office.micros...ontent/opuc.cab

[RdxIE Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\RDXIE.DLL
CODEBASE = http://software-dl.r...ip/RdxIE601.cab

[Symantec RuFSI Utility Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\RUFSI.DLL
CODEBASE = http://security.syma...n/bin/cabsa.cab

[PCPitstop Utility]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\PCPITSTOP.DLL
CODEBASE = http://www.pcpitstop...p/PCPitStop.CAB

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

--------------------------------------------------
End of report, 6,281 bytes
Report generated in 0.045 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

#3 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Retired Staff
  • PipPipPipPipPip
  • 15,830 posts

Posted 09 September 2005 - 12:29 PM

Hi,

Use the option 'Do a system scan and save a logfile', it will open Notepad automatically after the scan with your log in it, which you can then copy and paste here.
CM
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#4 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Retired Staff
  • PipPipPipPipPip
  • 15,830 posts

Posted 10 September 2005 - 02:34 AM

Hi again,

Scan with HiJackThis and put a check in the box next to the following items;

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab

Close all browsers and windows, click on ‘fix selected’ and allow HJT to fix these entries.

Restart.

I also suggest you remove this. It is unnecessary and uses resources, and is suspected of sending back information to the parent company;

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

More info and removal instructions here http://www.help2go.c...article&sid=211


Scan again with HJT, (with all browsers and windows closed) and post the new log in this thread.
CM
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#5 eagleal

eagleal

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 10 September 2005 - 07:45 AM

Hi again,

Scan with HiJackThis and put a check in the box next to the following items;

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab

Close all browsers and windows, click on ‘fix selected’ and allow HJT to fix these entries.

Restart.

I also suggest you remove this. It is unnecessary and uses resources, and is suspected of sending back information to the parent company;

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

More info and removal instructions here http://www.help2go.c...article&sid=211


Scan again with HJT, (with all browsers and windows closed) and post the new log in this thread.
CM

View Post




#6 eagleal

eagleal

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 10 September 2005 - 07:46 AM

Kind regards too all for replying ,i think i have sorted it thanks too your knowledge.
:p

#7 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Retired Staff
  • PipPipPipPipPip
  • 15,830 posts

Posted 12 September 2005 - 09:00 AM

You're welcome.

In order to be better protected in the future, I recommend the following programs:

SpywareBlaster protects against bad ActiveX.
http://www.javacools...areblaster.html

SpywareGuard stops Spyware from being installed.
http://www.javacools...ywareguard.html


IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
https://netfiles.uiu...ww/resource.htm

All three are very small free programs that you run once, and then just occasionally to check for updates.

Also see How did I get infected?

Finally, it is best to update your system regularly, to ensure you have the latest security patches from Microsoft. Update by clicking
here http://v4.windowsupdate.microsoft.com/
and following the prompts.
CM :thumbsup:
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#8 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Retired Staff
  • PipPipPipPipPip
  • 15,830 posts

Posted 15 September 2005 - 01:36 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
an email with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.




Member of UNITE
Support SpywareInfo Forum - click the button