I need help with a hijackthis log

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by frankj@all, Jun 22, 2004.

  1. frankj@all

    frankj@all Private E-2

    Something is hicacking my browser. I have run Adaware, Spybot S&D and CWShredder and fixed all that they have found.

    Thanks in advance

    Frank


    Logfile of HijackThis v1.97.7

    Scan saved at 12:23:54 PM, on 06/22/2004

    Platform: Windows 98 SE (Win9x 4.10.2222A)

    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:

    C:\WINDOWS\SYSTEM\KERNEL32.DLL

    C:\WINDOWS\SYSTEM\MSGSRV32.EXE

    C:\WINDOWS\SYSTEM\DDHELP.EXE

    C:\WINDOWS\SYSTEM\mmtask.tsk

    C:\WINDOWS\SYSTEM\MPREXE.EXE

    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE

    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE

    C:\WINDOWS\SYSTEM\MSTASK.EXE

    C:\PROGRAM FILES\COMMON FILES\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE

    C:\DMI\WIN32\BIN\WIN32SL.EXE

    C:\WINDOWS\SYSTEM\PSTORES.EXE

    C:\WINDOWS\SYSTEM\RPCSS.EXE

    C:\WINDOWS\EXPLORER.EXE

    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE

    C:\WINDOWS\SYSTEM\SYSTRAY.EXE

    C:\MOUSE\SYSTEM\EM_EXEC.EXE

    C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE

    C:\WINDOWS\SYSTEM\SXGTKBAR.EXE

    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE

    C:\WINDOWS\RunDLL.exe

    C:\WINDOWS\SYSTEM\CTFMON.EXE

    C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMUSBKB2.EXE

    C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\TRAYMON.EXE

    C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE

    C:\WINDOWS\SYSTEM\WMIEXE.EXE

    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

    C:\FRANK\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.1:8080

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX (file missing)

    O2 - BHO: (no name) - {6E9E3013-4F5C-4CD5-B21E-8CB56C19E7EC} - C:\WINDOWS\SYSTEM\FBP.DLL

    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe

    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

    O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe

    O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe

    O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe

    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

    O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe

    O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe

    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe

    O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE

    O4 - HKLM\..\RunServices: [WIN32SL] c:\dmi\win32\bin\win32sl.exe -i -p -r

    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY

    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe

    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000

    O9 - Extra button: Messenger (HKLM)

    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)

    O9 - Extra button: Dell Home (HKCU)

    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

    O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - http://www.citrix.com/bin/cab/wfica.cab

    O16 - DPF: {79EAE2E6-B318-11D3-96AA-00A02472EFE9} (WebView Control) - http://emanuals.linkbelt.com/WebView.ocx

    O16 - DPF: {351CF0CE-B05A-11D2-ABD9-00104B685417} (PWImageControl Class) - http://ebay.sj.ipixmedia.com/code//PWActiveXImgCtl.cab

    O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://www.installfromtheweb.com/install/iftwclix.cab

    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37951.2663773148

    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab

    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/066203f1866b709e3f20/netzip/RdxIE601.cab

    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab

    O16 - DPF: Jadvantage - http://www.terexolathe.com/Jadvantage.CAB

    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = allcleveland.com

    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.1.1



    StartupList report, 06/22/2004, 12:20:36 PM
    StartupList version: 1.52
    Started from : C:\FRANK\HIJACKTHIS\HIJACKTHIS.EXE
    Detected: Windows 98 SE (Win9x 4.10.2222A)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================
    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\COMMON FILES\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
    C:\DMI\WIN32\BIN\WIN32SL.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\MOUSE\SYSTEM\EM_EXEC.EXE
    C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
    C:\WINDOWS\SYSTEM\SXGTKBAR.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\WINDOWS\RunDLL.exe
    C:\WINDOWS\SYSTEM\CTFMON.EXE
    C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
    C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\TRAYMON.EXE
    C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\FRANK\HIJACKTHIS\HIJACKTHIS.EXE
    --------------------------------------------------
    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    vptray = C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    SystemTray = SysTray.Exe
    LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    EM_EXEC = c:\mouse\system\em_exec.exe
    MULTIMEDIA KEYBOARD = C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    SxgTkBar = SxgTkBar.exe
    TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    --------------------------------------------------
    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
    rtvscn95 = C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
    defwatch = C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
    SchedulingAgent = mstask.exe
    MOSearch = C:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
    WIN32SL = c:\dmi\win32\bin\win32sl.exe -i -p -r
    --------------------------------------------------
    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Taskbar Display Controls = RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    ctfmon.exe = ctfmon.exe
    --------------------------------------------------
    C:\WINDOWS\WININIT.BAK listing:
    (Created 22/6/2004, 11:54:50)
    [Rename]
    NUL=C:\WINDOWS\NDNUNI~1.EXE
    --------------------------------------------------
    C:\AUTOEXEC.BAT listing:
    SET PATH=C:\WINDOWS\SYSTEM\WBEM;C:\DMI\WIN32\BIN;C:\PROGRA~1\SYBASE\ADAPTI~1.0\WIN32
    SET WIN32DMIPATH=C:\DMI\WIN32
    SET PATH=%PATH%;C:\PROGRA~1\SYBASE\ADAPTI~1.0\WIN32;G:\SHARED;C:\PROGRA~1\CRANE\SHARED
    --------------------------------------------------

    Enumerating Browser Helper Objects:
    (no name) - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX (file missing) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    (no name) - C:\WINDOWS\SYSTEM\FBP.DLL - {6E9E3013-4F5C-4CD5-B21E-8CB56C19E7EC}
    --------------------------------------------------
    Enumerating Task Scheduler jobs:
    Tune-up Application Start.job
    Symantec NetDetect.job
    Disk Defragmenter.job
    --------------------------------------------------
    Enumerating Download Program Files:
    [CV3 Class]
    InProcServer32 = C:\WINDOWS\SYSTEM\WUV3IS.DLL
    CODEBASE = http://windowsupdate.microsoft.com/R1092/V31Controls/x86/w98/en/actsetup.cab
    [WficaCtl Object]
    InProcServer32 = C:\WINDOWS\SYSTEM\WFICA.OCX
    CODEBASE = http://www.citrix.com/bin/cab/wfica.cab
    [WebView Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\WEBVIEW.OCX
    CODEBASE = http://emanuals.linkbelt.com/WebView.ocx
    [PWImageControl Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\PWACTIVEXIMGCTL.DLL
    CODEBASE = http://ebay.sj.ipixmedia.com/code//PWActiveXImgCtl.cab
    [InstallFromTheWeb ActiveX Control]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\IFTW.DLL
    CODEBASE = http://www.installfromtheweb.com/install/iftwclix.cab
    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    [Update Class]
    InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37951.2663773148
    [Yahoo! Audio UI1]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YACSUI.DLL
    CODEBASE = http://chat.yahoo.com/cab/yacsui.cab
    [Yahoo! Audio Conferencing]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YACSCOM.DLL
    CODEBASE = http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab
    [RdxIE Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\RDXIE.DLL
    CODEBASE = http://software-dl.real.com/066203f1866b709e3f20/netzip/RdxIE601.cab
    [Yahoo! Webcam Viewer Wrapper]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YVWRCTL.DLL
    CODEBASE = http://chat.yahoo.com/cab/yvwrctl.cab
    --------------------------------------------------
    Enumerating ShellServiceObjectDelayLoad items:
    WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL
    --------------------------------------------------
    End of report, 6,242 bytes
    Report generated in 0.028 seconds
    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
    frankj@all, Jun 22, 2004
    #1

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds