1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

A Hijack This Log.

Discussion in 'Virus & Other Malware Removal' started by booradley01, Oct 18, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. booradley01

    booradley01 Thread Starter

    Joined:
    Aug 25, 2003
    Messages:
    70
    Okay, I got tricked into going to a porn site(I swear) and my computer's been acting up. I've already ran Ad Aware and Spybot(I did check for updates first, too). What can I get rid of?



    Logfile of HijackThis v1.96.2
    Scan saved at 10:17:44 PM, on 10/18/03
    Platform: Windows 98 Gold (Win9x 4.10.1998)
    MSIE: Internet Explorer v5.50 (5.50.4134.0600)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\LVCOMS.EXE
    C:\PROGRAM FILES\POPUP KILLER\POPUPKILLER.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\WINDOWS\RunDLL.exe
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\AIM95\AIM.EXE
    C:\PROGRAM FILES\HIJACK THIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weezer.com/news/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.babersucks.com/freebdsm/free_porn.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.babersucks.com/freebdsm/free_porn.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by InsightBB.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.usefulware.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.ewebsearch.net/
    O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL (disabled by BHODemon)
    O2 - BHO: (no name) - {058FC709-D5CD-4A95-92DB-59E6488ECDA4} - C:\PROGRAM FILES\INSIGHT\BBCLIENT\PROGRAMS\SABHO.DLL (disabled by BHODemon)
    O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &ZestyFind toolbar - {5CF8A355-F8C6-4883-9C25-49D01A7D25BE} - C:\WINDOWS\zestyfind.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LVComs] c:\windows\SYSTEM\LVComS.exe
    O4 - HKLM\..\Run: [PopUpKiller] C:\PROGRAM FILES\POPUP KILLER\POPUPKILLER.EXE
    O4 - HKLM\..\Run: [BroadbandClient] C:\Program Files\Insight\BBClient\Programs\RegCon.exe /admincheck
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [CWE] C:\WINDOWS\CWE.exe
    O4 - HKLM\..\Run: [FSZGPT] C:\WINDOWS\FSZGPT.exe
    O4 - HKLM\..\Run: [BELT] C:\WINDOWS\BELT.exe
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O9 - Extra button: AOL Instant Messenger (SM) (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: Yahoo! PageBuilder - http://pagebuilder.yahoo.com/members/tools/pagebuilder/prod/client.2.60.23/code/client.cab
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.latinahouse.com/AxisCamControl.ocx
    O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} (Video Class) - http://spystream.babenet.com/cabs/videox.cab
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://photos.msn.ca/r/neutral/controls/MsnPUpld.cab?4,0,1323,0
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://test.********com/np/Otw0i.cab
     
  2. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Hi booradley01

    Run Hijack This again and put a check by these. Close all browser windows and "Fix checked"

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about :blank

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.babersucks.com/freebdsm/free_porn.html

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.babersucks.com/freebdsm/free_porn.html

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about :blank

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about :blank

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about :blank

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about :blank

    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.usefulware.com

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.ewebsearch.net/

    O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL (disabled by BHODemon)

    O2 - BHO: (no name) - {058FC709-D5CD-4A95-92DB-59E6488ECDA4} - C:\PROGRAM FILES\INSIGHT\BBCLIENT\PROGRAMS\SABHO.DLL (disabled by BHODemon)

    O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)

    O3 - Toolbar: &ZestyFind toolbar - {5CF8A355-F8C6-4883-9C25-49D01A7D25BE} - C:\WINDOWS\zestyfind.dll

    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

    O4 - HKLM\..\Run: [FSZGPT] C:\WINDOWS\FSZGPT.exe

    O4 - HKLM\..\Run: [BELT] C:\WINDOWS\BELT.exe

    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.latinahouse.com/AxisCamControl.ocx

    O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} (Video Class) - http://spystream.babenet.com/cabs/videox.cab

    O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://test.********com/np/Otw0i.cab

    Restart to Safe Mode: press f8 on startup and select Safe Mode from the boot menu.

    In Safe Mode delete:

    The C:\WINDOWS\FSZGPT.exe file
    The C:\WINDOWS\BELT.exe file

    Be sure and take advantage of the "Immunize" feature in Spybot.

    Finally go here http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?;act=ST;f=38;t=3051 for info on how this happens and how to help prevent future attacks.
    On this page you will find links to Javacool's SpywareBlaster and SpywareGuard. Get them both and check for updates frequently.
    The Immunize feature in Spybot used in conjunction with SpywareBlaster , SpywareGuard and weekly scans with Spybot and Adaware will go a long way toward keeping your PC free of these pests..

    Important!: ALWAYS check for updated detections and referencefiles before scanning with Spybot and Adaware. And be sure to check for updates to SpywareBlaster and SpywareGuard on a weekly basis.
     
  3. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Also your version of Hijack This is outdated. Open Hijack This and click on the "Config" button in the lower right corner then click on the "Misc tools" button then click on "Check for update online" and dowload the update and post the log from the new version after doing all of the above.
     
  4. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Add this one to the "fix" list:
    O4 - HKLM\..\Run: [CWE] C:\WINDOWS\CWE.exe
    Unless firman knows something about it.

    ;)
     
  5. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Thanks $teve for reminding me of that one. I meant to ask booradley01 about it. I got quite a few hits on that one most of which indicate that it is associated with a crossword puzzle program. I actually downloaded the crossword program just now and installed it to see if it added that to my registry and it did not.

    So maybe he knows what it is.
     
  6. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Thats all I found too:D
     
  7. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/172986

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice