1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Hijacked -- dialer plugin coolsearch virus??

Discussion in 'Virus & Other Malware Removal' started by rico123456, Sep 5, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. rico123456

    rico123456 Thread Starter

    Joined:
    Sep 5, 2004
    Messages:
    58
    Help, please,

    I am having lots of problems that seem to have occurred after I tried to switch to SBCYahoo DSL and it installed a new version of Internet Explorer.

    At first my Internet Explorer was hijacked to coolsearch.biz. I think I have solved that through adaware and cwshredder but

    The computer at various times wants to connect this dialer -- sometimes dialer.admin shows up on the URL line

    And sometimes this thing starts to run, "Please wait while we prepare the plugin"

    I don't have a clue how to deal with this. Thanks
     
  2. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Please post a Hijackthis log to help experts see what the problem might be. It shows a lot of the bad but- most of what it shows is good and needed, so do NOT attempt to fix things with Hijackthis unless you are experienced.

    HJT must be run from a permanent location, not the Temp folders: you can make a new folder on the desktop> right click an empty spot>New>Folder and rename it HJT and have the download saved there.

    Download:

    http://tools.radiosplace.com/HijackThis.exe


    Directions as to how to Copy/Paste the saved logfile

    http://mjc1.com/mirror/hjt/

    If you have any programs etc turned off using MSConfig (also known as System Configuration Utility) you should put the checkmarks back into them before running Hijackthis...we need to see the entire log.

    Post the log into a reply here in your thread and someone will get back to you with advice.
     
  3. rico123456

    rico123456 Thread Starter

    Joined:
    Sep 5, 2004
    Messages:
    58
    Here is the log. Thank you

    Logfile of HijackThis v1.98.2
    Scan saved at 1:46:59 PM, on 9/5/04
    Platform: Windows 98 Gold (Win9x 4.10.1998)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\DRMON\SMARTAGT\SMARTAGT.EXE
    C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
    C:\WINDOWS\SYSTEM\MPRMMON.EXE
    C:\WINDOWS\SYSTEM\M2AUDMON.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\GWHOTKEY.EXE
    C:\WINDOWS\STARTER.EXE
    C:\WINDOWS\SYSTEM\HPZTSB01.EXE
    C:\PROGRAM FILES\MCAFEE\QUICKCLEAN\PLGUNI.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPCLIENT.EXE
    C:\WINDOWS\SYSTEM\MSWHEEL.EXE
    C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPMON32.EXE
    C:\WINDOWS\SYSTEM\HOST32.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
    C:\WINDOWS\FSSCRCTL.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPCLIENT.EXE
    C:\MY DOWNLOAD FILES\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = ,
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    R3 - URLSearchHook: {FD0B1A83-4F7C-11D5-BD9C-000103C116D5} - - (no file)
    F1 - win.ini: run=C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://yahoo.sbc.com/dsl"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\7t3jrjlj.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\7t3jrjlj.slt\prefs.js)
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_5_0.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: (no name) - {A3DFDA85-1D92-4E28-8C0C-522574ACDC8A} - C:\WINDOWS\SYSTEM\msacrohlp.dll
    O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_5_0.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [COMSMDEXE] comsmd.exe -off
    O4 - HKLM\..\Run: [TIPS] C:\PROGRA~1\MICROS~1\tips\mouse\tips.exe
    O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MICROS~1\point32.exe
    O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [mmpti] C:\WINDOWS\SYSTEM\m1mmpti.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb01.exe
    O4 - HKLM\..\Run: [Imonitor] "C:\Program Files\McAfee\QuickClean\Plguni.exe" /START
    O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [KodakCCS] C:\WINDOWS\System32\Drivers\KodakCCS.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [RecoverFromReboot] C:\WINDOWS\TEMP\RECOVE~1.EXE
    O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPClient.exe" -l
    O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPMon32.exe"
    O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
    O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\SYSTEM\host32.exe internat.dll,LoadKeyboardProfile
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [dRMON SmartAgent] drmon\SmartAgt\SmartAgt.exe
    O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
    O4 - HKLM\..\RunServices: [rmmon] C:\WINDOWS\SYSTEM\mprmmon.exe
    O4 - HKLM\..\RunServices: [AVX Communicator] C:\WINDOWS\SYSTEM\XCOMMSVR.EXE
    O4 - HKLM\..\RunServices: [AvxIni] c:\program files\softwin\antivirus expert professional\avxinit.exe
    O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\RunDLL32.exe C:\PROGRA~1\OFOTO\OFOTONOW\OFUSBS.DLL,WatchForConnection OfotoNow
    O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
    O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\AIM.EXE
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
    O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
    O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
    O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
    O15 - Trusted Zone: *.windupdates.com
    O15 - Trusted Zone: *.searchmiracle.com
    O15 - Trusted Zone: *.skoobidoo.com
    O15 - Trusted Zone: *.my-internet.info
    O15 - Trusted Zone: *.mt-download.com
    O15 - Trusted Zone: *.clickspring.net
    O16 - DPF: {8D83D301-E841-11D1-B155-00600823BCF9} (WebLine Browser Integration Classes) - http://collsrv.thrifty.com/webline/applets/msie40x.cab
    O16 - DPF: HushEncryptionEngine - https://mailserver1.hushmail.com/shared/HushEncryptionEngine.cab
    O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
     
  4. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Hi rico123456

    Welcome to TSG! :)

    Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = ,

    R3 - URLSearchHook: {FD0B1A83-4F7C-11D5-BD9C-000103C116D5} - - (no file)

    F1 - win.ini: run=C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE

    O2 - BHO: (no name) - {A3DFDA85-1D92-4E28-8C0C-522574ACDC8A} - C:\WINDOWS\SYSTEM\msacrohlp.dll

    O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)

    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

    O4 - HKLM\..\Run: [RecoverFromReboot] C:\WINDOWS\TEMP\RECOVE~1.EXE

    O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE

    O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE

    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

    O15 - Trusted Zone: *.windupdates.com
    O15 - Trusted Zone: *.searchmiracle.com
    O15 - Trusted Zone: *.skoobidoo.com
    O15 - Trusted Zone: *.my-internet.info
    O15 - Trusted Zone: *.mt-download.com
    O15 - Trusted Zone: *.clickspring.net


    Restart to safe mode.

    How to start your computer in safe mode

    First in safe mode click on My Computer then go to View > Folder Options. Click on the "View" tab and make sure "Show all files" is ticked and uncheck "Hide file extensions for known file types". Click "Like Current Folder" then click "Apply" then "OK"

    Now find and delete the C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE file

    Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


    Empty the Recycle Bin


    Go here and download Adaware SE.

    Install the program and launch it.

    First in the main window look in the bottom right corner and click on Check for updates now then click Connect and download the latest reference files.

    From main window :Click Start then under Select a scan Mode tick Perform full system scan.

    Next deselect Search for negligible risk entries.

    Now to scan just click the Next button.

    When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)

    Restart your computer.
     
  5. rico123456

    rico123456 Thread Starter

    Joined:
    Sep 5, 2004
    Messages:
    58
    I went through what you suggested, and then when I turned on the computer and got on line, as I was connecting to the forum, a popup came that said Please wait while preparing plugin and it was starting to install something.

    Here is the new Hijack this log

    Logfile of HijackThis v1.97.6
    Scan saved at 5:58:30 PM, on 9/5/04
    Platform: Windows 98 Gold (Win9x 4.10.1998)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\DRMON\SMARTAGT\SMARTAGT.EXE
    C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
    C:\WINDOWS\SYSTEM\MPRMMON.EXE
    C:\WINDOWS\SYSTEM\M2AUDMON.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\GWHOTKEY.EXE
    C:\WINDOWS\STARTER.EXE
    C:\WINDOWS\SYSTEM\HPZTSB01.EXE
    C:\PROGRAM FILES\MCAFEE\QUICKCLEAN\PLGUNI.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE
    C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPCLIENT.EXE
    C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPMON32.EXE
    C:\WINDOWS\SYSTEM\HOST32.EXE
    C:\WINDOWS\SYSTEM\MSWHEEL.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
    C:\WINDOWS\FSSCRCTL.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPCLIENT.EXE
    C:\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
    R3 - URLSearchHook: {FD0B1A83-4F7C-11D5-BD9C-000103C116D5} - - (no file)
    F1 - win.ini: run=C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://yahoo.sbc.com/dsl"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\7t3jrjlj.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\7t3jrjlj.slt\prefs.js)
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_5_0.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_5_0.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [COMSMDEXE] comsmd.exe -off
    O4 - HKLM\..\Run: [TIPS] C:\PROGRA~1\MICROS~1\tips\mouse\tips.exe
    O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MICROS~1\point32.exe
    O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [mmpti] C:\WINDOWS\SYSTEM\m1mmpti.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb01.exe
    O4 - HKLM\..\Run: [Imonitor] "C:\Program Files\McAfee\QuickClean\Plguni.exe" /START
    O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [KodakCCS] C:\WINDOWS\System32\Drivers\KodakCCS.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPClient.exe" -l
    O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPMon32.exe"
    O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\SYSTEM\host32.exe internat.dll,LoadKeyboardProfile
    O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [dRMON SmartAgent] drmon\SmartAgt\SmartAgt.exe
    O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
    O4 - HKLM\..\RunServices: [rmmon] C:\WINDOWS\SYSTEM\mprmmon.exe
    O4 - HKLM\..\RunServices: [AVX Communicator] C:\WINDOWS\SYSTEM\XCOMMSVR.EXE
    O4 - HKLM\..\RunServices: [AvxIni] c:\program files\softwin\antivirus expert professional\avxinit.exe
    O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\RunDLL32.exe C:\PROGRA~1\OFOTO\OFOTONOW\OFUSBS.DLL,WatchForConnection OfotoNow
    O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
    O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Yahoo! Login (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
    O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {8D83D301-E841-11D1-B155-00600823BCF9} (WebLine Browser Integration Classes) - http://collsrv.thrifty.com/webline/applets/msie40x.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37896.6437615741
    O16 - DPF: HushEncryptionEngine - https://mailserver1.hushmail.com/shared/HushEncryptionEngine.cab
    O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
    O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yahoo.com/dl/installs/yab_af.cab
     
  6. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    You need to post the log from the new version of Hijack This. You posted a log from the old one:

    Logfile of HijackThis v1.97.6
     
  7. rico123456

    rico123456 Thread Starter

    Joined:
    Sep 5, 2004
    Messages:
    58
    sorry. here is a new one. i have also recently had this box come up with a web dialer again

    Logfile of HijackThis v1.97.6
    Scan saved at 6:37:16 PM, on 9/5/04
    Platform: Windows 98 Gold (Win9x 4.10.1998)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\DRMON\SMARTAGT\SMARTAGT.EXE
    C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
    C:\WINDOWS\SYSTEM\MPRMMON.EXE
    C:\WINDOWS\SYSTEM\M2AUDMON.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\GWHOTKEY.EXE
    C:\WINDOWS\STARTER.EXE
    C:\WINDOWS\SYSTEM\HPZTSB01.EXE
    C:\PROGRAM FILES\MCAFEE\QUICKCLEAN\PLGUNI.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE
    C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPCLIENT.EXE
    C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPMON32.EXE
    C:\WINDOWS\SYSTEM\HOST32.EXE
    C:\WINDOWS\SYSTEM\MSWHEEL.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
    C:\WINDOWS\FSSCRCTL.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPCLIENT.EXE
    C:\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
    R3 - URLSearchHook: {FD0B1A83-4F7C-11D5-BD9C-000103C116D5} - - (no file)
    F1 - win.ini: run=C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://yahoo.sbc.com/dsl"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\7t3jrjlj.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\7t3jrjlj.slt\prefs.js)
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_5_0.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_5_0.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [COMSMDEXE] comsmd.exe -off
    O4 - HKLM\..\Run: [TIPS] C:\PROGRA~1\MICROS~1\tips\mouse\tips.exe
    O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MICROS~1\point32.exe
    O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [mmpti] C:\WINDOWS\SYSTEM\m1mmpti.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb01.exe
    O4 - HKLM\..\Run: [Imonitor] "C:\Program Files\McAfee\QuickClean\Plguni.exe" /START
    O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [KodakCCS] C:\WINDOWS\System32\Drivers\KodakCCS.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPClient.exe" -l
    O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPMon32.exe"
    O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\SYSTEM\host32.exe internat.dll,LoadKeyboardProfile
    O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [dRMON SmartAgent] drmon\SmartAgt\SmartAgt.exe
    O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
    O4 - HKLM\..\RunServices: [rmmon] C:\WINDOWS\SYSTEM\mprmmon.exe
    O4 - HKLM\..\RunServices: [AVX Communicator] C:\WINDOWS\SYSTEM\XCOMMSVR.EXE
    O4 - HKLM\..\RunServices: [AvxIni] c:\program files\softwin\antivirus expert professional\avxinit.exe
    O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\RunDLL32.exe C:\PROGRA~1\OFOTO\OFOTONOW\OFUSBS.DLL,WatchForConnection OfotoNow
    O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
    O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Yahoo! Login (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
    O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {8D83D301-E841-11D1-B155-00600823BCF9} (WebLine Browser Integration Classes) - http://collsrv.thrifty.com/webline/applets/msie40x.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37896.6437615741
    O16 - DPF: HushEncryptionEngine - https://mailserver1.hushmail.com/shared/HushEncryptionEngine.cab
    O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
    O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yahoo.com/dl/installs/yab_af.cab
     
  8. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    That log is from the old version too:

    Logfile of HijackThis v1.97.6

    You need to get rid of the old version of Hijack This and only use the new one.... 1.98.2.

    Now scan again with HJT version 1.98.2 and post the log from it.
     
  9. rico123456

    rico123456 Thread Starter

    Joined:
    Sep 5, 2004
    Messages:
    58
    OK, how about this?

    Logfile of HijackThis v1.98.2
    Scan saved at 6:57:44 PM, on 9/5/04
    Platform: Windows 98 Gold (Win9x 4.10.1998)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\DRMON\SMARTAGT\SMARTAGT.EXE
    C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
    C:\WINDOWS\SYSTEM\MPRMMON.EXE
    C:\WINDOWS\SYSTEM\M2AUDMON.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\GWHOTKEY.EXE
    C:\WINDOWS\STARTER.EXE
    C:\WINDOWS\SYSTEM\HPZTSB01.EXE
    C:\PROGRAM FILES\MCAFEE\QUICKCLEAN\PLGUNI.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE
    C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPCLIENT.EXE
    C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPMON32.EXE
    C:\WINDOWS\SYSTEM\HOST32.EXE
    C:\WINDOWS\SYSTEM\MSWHEEL.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
    C:\WINDOWS\FSSCRCTL.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPCLIENT.EXE
    C:\HIJACKTHIS.EXE
    C:\MY DOWNLOAD FILES\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = ,
    R3 - URLSearchHook: {FD0B1A83-4F7C-11D5-BD9C-000103C116D5} - - (no file)
    F1 - win.ini: run=C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://yahoo.sbc.com/dsl"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\7t3jrjlj.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\7t3jrjlj.slt\prefs.js)
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_5_0.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
    O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\QUESTMOD.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_5_0.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [COMSMDEXE] comsmd.exe -off
    O4 - HKLM\..\Run: [TIPS] C:\PROGRA~1\MICROS~1\tips\mouse\tips.exe
    O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MICROS~1\point32.exe
    O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [mmpti] C:\WINDOWS\SYSTEM\m1mmpti.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb01.exe
    O4 - HKLM\..\Run: [Imonitor] "C:\Program Files\McAfee\QuickClean\Plguni.exe" /START
    O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [KodakCCS] C:\WINDOWS\System32\Drivers\KodakCCS.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPClient.exe" -l
    O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPMon32.exe"
    O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\SYSTEM\host32.exe internat.dll,LoadKeyboardProfile
    O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [dRMON SmartAgent] drmon\SmartAgt\SmartAgt.exe
    O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
    O4 - HKLM\..\RunServices: [rmmon] C:\WINDOWS\SYSTEM\mprmmon.exe
    O4 - HKLM\..\RunServices: [AVX Communicator] C:\WINDOWS\SYSTEM\XCOMMSVR.EXE
    O4 - HKLM\..\RunServices: [AvxIni] c:\program files\softwin\antivirus expert professional\avxinit.exe
    O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\RunDLL32.exe C:\PROGRA~1\OFOTO\OFOTONOW\OFUSBS.DLL,WatchForConnection OfotoNow
    O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
    O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\AIM.EXE
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
    O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
    O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
    O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
    O16 - DPF: {8D83D301-E841-11D1-B155-00600823BCF9} (WebLine Browser Integration Classes) - http://collsrv.thrifty.com/webline/applets/msie40x.cab
    O16 - DPF: HushEncryptionEngine - https://mailserver1.hushmail.com/shared/HushEncryptionEngine.cab
    O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
     
  10. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

    R3 - URLSearchHook: {FD0B1A83-4F7C-11D5-BD9C-000103C116D5} - - (no file)

    F1 - win.ini: run=C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE

    O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)

    O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\QUESTMOD.DLL

    O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE

    O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE

    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)


    Restart to safe mode.

    How to start your computer in safe mode

    First in safe mode click on My Computer then go to View > Folder Options. Click on the "View" tab and make sure "Show all files" is ticked and uncheck "Hide file extensions for known file types". Click "Like Current Folder" then click "Apply" then "OK"

    Now find and delete the C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE file
     
  11. rico123456

    rico123456 Thread Starter

    Joined:
    Sep 5, 2004
    Messages:
    58
    I've done this. When I was signing on to the forum, this thing came on "Please Wait as we prepare the plugin" which looks like it's trying to download something onto the computer. Here is the new log. Adaware keeps showing up with this TIB Browser which I keep trying to get rid of.

    Logfile of HijackThis v1.98.2
    Scan saved at 8:22:53 PM, on 9/5/04
    Platform: Windows 98 Gold (Win9x 4.10.1998)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\DRMON\SMARTAGT\SMARTAGT.EXE
    C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
    C:\WINDOWS\SYSTEM\MPRMMON.EXE
    C:\WINDOWS\SYSTEM\M2AUDMON.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\GWHOTKEY.EXE
    C:\WINDOWS\STARTER.EXE
    C:\WINDOWS\SYSTEM\HPZTSB01.EXE
    C:\PROGRAM FILES\MCAFEE\QUICKCLEAN\PLGUNI.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPCLIENT.EXE
    C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPMON32.EXE
    C:\WINDOWS\SYSTEM\MSWHEEL.EXE
    C:\WINDOWS\SYSTEM\HOST32.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
    C:\WINDOWS\FSSCRCTL.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPCLIENT.EXE
    C:\MY DOWNLOAD FILES\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = ,
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://yahoo.sbc.com/dsl"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\7t3jrjlj.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\7t3jrjlj.slt\prefs.js)
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_5_0.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_5_0.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [COMSMDEXE] comsmd.exe -off
    O4 - HKLM\..\Run: [TIPS] C:\PROGRA~1\MICROS~1\tips\mouse\tips.exe
    O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MICROS~1\point32.exe
    O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [mmpti] C:\WINDOWS\SYSTEM\m1mmpti.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb01.exe
    O4 - HKLM\..\Run: [Imonitor] "C:\Program Files\McAfee\QuickClean\Plguni.exe" /START
    O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [KodakCCS] C:\WINDOWS\System32\Drivers\KodakCCS.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPClient.exe" -l
    O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPMon32.exe"
    O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\SYSTEM\host32.exe internat.dll,LoadKeyboardProfile
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [dRMON SmartAgent] drmon\SmartAgt\SmartAgt.exe
    O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
    O4 - HKLM\..\RunServices: [rmmon] C:\WINDOWS\SYSTEM\mprmmon.exe
    O4 - HKLM\..\RunServices: [AVX Communicator] C:\WINDOWS\SYSTEM\XCOMMSVR.EXE
    O4 - HKLM\..\RunServices: [AvxIni] c:\program files\softwin\antivirus expert professional\avxinit.exe
    O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\RunDLL32.exe C:\PROGRA~1\OFOTO\OFOTONOW\OFUSBS.DLL,WatchForConnection OfotoNow
    O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\AIM.EXE
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
    O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
    O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
    O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
    O16 - DPF: {8D83D301-E841-11D1-B155-00600823BCF9} (WebLine Browser Integration Classes) - http://collsrv.thrifty.com/webline/applets/msie40x.cab
    O16 - DPF: HushEncryptionEngine - https://mailserver1.hushmail.com/shared/HushEncryptionEngine.cab
    O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
     
  12. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    I don't see anything in your log.

    Please be more specific about this plugin. Is "Please Wait as we prepare the plugin" all that it says?

    Also tell me exactly what the file name or reg entry is that Adaware is finding for the TIB browser.
     
  13. rico123456

    rico123456 Thread Starter

    Joined:
    Sep 5, 2004
    Messages:
    58
    When I turned on the computer this morning, not connected to the Internet, it tried to open Internet Explorer and www.dialer.admin. (I am trying to get SBCYahoo DSL and have partially installed it but have not been able to connect it. I don't know if that is related.)

    I ran Adaware and got these identified (I quarantined them)

    TIB BROWSER
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    obj[0]=Regkey : .DEFAULT\software\websiteviewer
    obj[1]=Folder : C:\Program Files\WebSiteViewer

    I ran spybot and it said everything was OK

    I signed on to my dialup and connected but I can't get my Internet Explorer to open up pages. So I am sending you this from Netscape.

    As the forums.techguy.org page was opening up, a window appeared with the following.

    WEB DIALER
    press 'Cancel' immediately. By clicking the 'Connect Now' button and continuing further, you acknowledge that you are the line subscriber or are otherwise authorized by the line subscriber to incur charges on the phone number to be billed. In addition, by clicking that 'Connect now' button, you represent that you are not a U.S. Postal official or a law enforcement agent (or acting as an agent thereof) and that you may download and are permitted to view adult materials in the community in which you reside. If you are not the telephone line subscriber or do not have the telephone line subscriber's authorization to bill charges to the telephone number, click the 'Cancel' button.

    I did a search for dial and found that these three things were created in windows on sept. 4

    dial32.exe
    dkdial.exe
    newdial.exe

    Thank you
     
  14. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
  15. rico123456

    rico123456 Thread Starter

    Joined:
    Sep 5, 2004
    Messages:
    58
    I just left my computer for about 15 minutes (while I was running Adaware again and was trying to open an Internet Explorer file.) When I came back, there was a porn window that had opened up, hardcore teen sex and there is a shortcut on my desktop to it with a telephone and computer icon. This has been part of the recurring problem

    I looked at my desktop file names and saw there is now one called hardcore teen sex.
    Looking at the properties I see.

    C:\Program Files\WebSiteViewer\124309.exe" /ac:124309 /sk:tte /lc: /ul

    Doing a searchfor 124309, there are many files that were created Sept. 4

    124309 c: (created 9-4)

    These were created this morning at 11:18
    124309.dlr c:/Program Files/Websiteviewer
    124309.ico c:/Programf Files/Websiteviewer
    124309.dd c:/Program Files/Websiteviewer

    124309.exe c:/Program Files/Websiteviewer (created 9-4)

    124309.dlr c:/Program Files/Yahoo!/YPSR/Quarantine/ppq4113.TMP
    124309.ico c:/Program Files/Yahoo!/YPSR/Quarantine/ppq4113.TMP
    124309.dd c:/Program Files/Yahoo!/YPSR/Quarantine/ppq4113.TMP
    124309.exe c:/Program Files/Yahoo!/YPSR/Quarantine/ppq4113.TMP
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Hijacked dialer plugin
  1. genubi
    Replies:
    0
    Views:
    278
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/270446

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice