1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

hijack this log please help

Discussion in 'Virus & Other Malware Removal' started by motbot, Apr 12, 2004.

Thread Status:
Not open for further replies.
  1. motbot

    motbot Thread Starter

    Joined:
    Apr 12, 2004
    Messages:
    4
    Hi,
    I'm running Win98, have Macafee Virus Scan, It found and deleted a Klez worm. Spybot and Adaware are no longer finding anything either. However, the home page is changed and I had to run regedit restore to a previous registry backup in order to go anywhere online. Here's the hijack this log. Can someone look at it and see what I need to do?

    thank you very much,

    motbot


    Logfile of HijackThis v1.97.7
    Scan saved at 11:08:35 AM, on 4/12/04
    Platform: Windows 98 Gold (Win9x 4.10.1998)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
    C:\PROGRAM FILES\ISO DEFAULT FOUR\KINDSECTINTRA.EXE
    C:\WINDOWS\STARTER.EXE
    C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
    C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
    C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
    C:\PROGRAM FILES\MCAFEE.COM\VSO\MCMNHDLR.EXE
    C:\PROGRAM FILES\MCAFEE.COM\SHARED\MGHTML.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE
    C:\WINDOWS\TEMP\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bellsouth.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6711
    O1 - Hosts: 204.244.184.143 SafeWeb.com
    O1 - Hosts: 204.244.184.143 WWW.SafeWeb.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\REAL\TOOLBAR\REALBAR.DLL
    O2 - BHO: (no name) - {817B893E-2F3A-E0FD-56DC-C101005BA8ED} - C:\windows\system\cbwszbnb.dll (file missing)
    O2 - BHO: (no name) - {09D874AB-BF21-3BEC-DB9D-D0921BB368F5} - C:\windows\system\wdpvtvel.dll (file missing)
    O2 - BHO: (no name) - {0C5A9520-C9A3-0DC1-4055-406EC1222613} - C:\PROGRAM FILES\WIPE TIME CDROM\HIDE ENC.DLL
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Ford Move Phone - {19AFCD0E-085B-5ED6-A03D-6A43497564B0} - C:\PROGRAM FILES\WIPE TIME CDROM\HIDE ENC.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
    O4 - HKLM\..\Run: [Noun Poke] C:\PROGRA~1\ISODEF~1\kindsectintra.exe
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\McUpdate.exe
    O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\McAgent.exe
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://centraone.stanford.edu/main/Install/en/US/CentraDownloader.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/026ad4f7202f894fff06/netzip/RdxIE601.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38014.3308217593
    O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
    O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
     
  2. buckaroo

    buckaroo

    Joined:
    Mar 25, 2001
    Messages:
    3,334
    Hi motbot, welcome to TSG.

    Close your browser, check the following two entries in HJT, click fix and reboot.

    O1 - Hosts: 204.244.184.143 SafeWeb.com
    O1 - Hosts: 204.244.184.143 WWW.SafeWeb.com

    I can't find any info on these entries:

    O2 - BHO: (no name) - {817B893E-2F3A-E0FD-56DC-C101005BA8ED} - C:\windows\system\cbwszbnb.dll (file missing)

    O2 - BHO: (no name) - {09D874AB-BF21-3BEC-DB9D-D0921BB368F5} - C:\windows\system\wdpvtvel.dll (file missing)

    O2 - BHO: (no name) - {0C5A9520-C9A3-0DC1-4055-406EC1222613} - C:\PROGRAM FILES\WIPE TIME CDROM\HIDE ENC.DLL

    O3 - Toolbar: Ford Move Phone - {19AFCD0E-085B-5ED6-A03D-6A43497564B0} - C:\PROGRAM FILES\WIPE TIME CDROM\HIDE ENC.DLL

    They may be legit, I don't know. You can have HJT remove them. If you need them restored, HJT backs up whatever you fix and you can restore them if you need them.

    :)
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/219645

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice