Hijacked also

[dj110965]

I tried following your instruction about downloading hijackthis from spyware, but when I tried to unzip it I got an error message could not find file msvbvm60.dll what do I do about that?

My default page under internet options is hijacked.
http://freehqmovies.com/enter.php don't want that!!!
Window 98

Thanks

 

[bassetman]

Welcome to TSG!

Who's advice did you follow????

This shows 1 post.

 

[Deke40]

I am not being a smartxxx but can't a vistor read posts and not register to post.

I know I haven't been here long but when I found this site I immediately registered so I don't really remember if you can browse without registering.

dj-Go here and download the file you need:

http://www.milori.com/developer/runtimes/

 

[TonyKlein]

About the msvbvm60 error, do this:

Download the MS visual basic 6.0 runtime files

Just doubleclick after downloading, and let it install.


You'll be able to run Hijack This afterwards.

 

[Deke40]

Tony

I was hoping you would come along. I have the msvbvm60.dll but not the VbRun60.exe. I have a VbRun300.dll thats looks real old. My hijack runs alright but would it be beneficial to dowload 60.exe.

Also I had a 40 and 50.dll and deleted them to see if they were needed or not. Still have them in the RB.

 

[TonyKlein]

It's not required to install them, but it certainly can't hurt

If the install process finds more recent versions of some of these files on your computer, it won't downgrade them, so there's no risk.

I usually advise folks to do it this way, as it's so much easier to install.

If you're not getting any "missing files" errors yourself , I'd just leave it as it is.

 

[Deke40]

Thanks Tony.

 

[bassetman]

Deke

I am not being a smartxxx but can't a vistor read posts and not register to post.

Deke, not sure if this was directed at me, but all I was asking was what instructions they had tried. I didn't know what post they were refering to.

John

 

[Deke40]

John

No disrespect intended. I was referring to your comment about his having only 1 post . I actually couldn't remember if you could just browse and not register. Now that I think about it I see the number of members and vistors posted at the bottom of Home page. I should have used a question mark after that statement and it would have been a question as intended, instead of sounding like a smartxxx remark. Should have said "can a vistor read posts and not register to post"?

I apologize if it offended you.

 

[bassetman]

No foul, no harm!

Just checking it out!

John

 

[dj110965]

This is the log file what should I do from here...thanks to all!!!



Logfile of HijackThis v1.91.2
Scan saved at 2:45:27 PM, on 01/21/2003
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://www.freehqmovies.com/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL=http://www.topsearcher.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.freehqmovies.com/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://www.freehqmovies.com/enter.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://www.freehqmovies.com/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.freehqmovies.com/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://www.freehqmovies.com/search/
O3 - Toolbar: (no name) - {69550BE2-9A78-11d2-BA91-00600827878D} - C:\WINDOWS\system\shdocvw.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [Vshwin32EXE] C:\McAfee\VirusScan\VSHWIN32.EXE
O4 - HKLM\..\Run: [mmpti] c:\windows\SYSTEM\m1mmpti.exe
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [WinServices] C:\WINDOWS\SYSTEM\WinServices.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\McAfee\VirusScan\VSHWIN32.EXE
O4 - HKLM\..\RunServices: [WinServices] C:\WINDOWS\SYSTEM\WinServices.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [rmmon] c:\windows\SYSTEM\mprmmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: Win32 Classes - file://C:\WINDOWS\Java\classes\win32ie4.cab
O16 - DPF: {02466323-75ED-11CF-A267-0020AF2546EA} (VivoActive Control) - http://player.vivo.com/ie/vvweb.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {22D6F312-B0F6-11D0-94AB-0080C74C7E95} (Windows Media Player) - http://activex.microsoft.com/activex/controls/mplayer/en/nsmp2inf.cab
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://home.microsoft.com/search/lobby/searchsettings.cab
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - http://clinicdownload.mcafee.com/molbin/Shared/ComCtl32.cab
O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://central1.clevercontent.com/cccabs/CleverContent.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.150/098c74f252b482a7d503/netzip/RdxIE.cab
O16 - DPF: {1D2DCA0D-B30F-40AD-9690-087105F214EC} (IEDial Class) - http://fr4-download.nocreditcard.com/download/Object/ieaccess2.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.141/code/PWActiveXImgCtl.CAB
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805...ch.com/audit/includes/ContentAuditControl.cab

 

[TonyKlein]

Man! You have the Yaha worm, and some spyware.

Do this:

Run Hijack This, and check ALL of the items in bold. Doublecheck so as to be sure not to miss a single one.
Next, shut down all Internet Explorer Windows, and have HT fix all checked.
Reboot when you're done.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://www.freehqmovies.com/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL=http://www.topsearcher.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.freehqmovies.com/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://www.freehqmovies.com/enter.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://www.freehqmovies.com/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.freehqmovies.com/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://www.freehqmovies.com/search/

O3 - Toolbar: (no name) - {69550BE2-9A78-11d2-BA91-00600827878D} - C:\WINDOWS\system\shdocvw.dll

O4 - HKLM\..\RunServices: [WinServices] C:\WINDOWS\SYSTEM\WinServices.exe

O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://central1.clevercontent.com/c...everContent.cab
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.150/098c74f252b482...etzip/RdxIE.cab
O16 - DPF: {1D2DCA0D-B30F-40AD-9690-087105F214EC} (IEDial Class) - http://fr4-download.nocreditcard.co...t/ieaccess2.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.141/code/PWActiveXImgCtl.CAB
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805...uditControl.cab

After rebooting download and run the Yaha removal tool:

http://securityresponse.symantec.com/avcenter/venc/data/w32.yaha.removal.tool.html

Good luck,

 

[dj110965]

It looks like this issue has been resolved. I want to thank you for your support. I'm glad someone out there knew what to do and volunteered your expertise.


Again Thanks

 

[TonyKlein]

No prob!

Glad to hear you were able to get rid of it.