1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

HJT log

Discussion in 'Virus & Other Malware Removal' started by lizamp2001, Sep 13, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. lizamp2001

    lizamp2001 Thread Starter

    Joined:
    Apr 19, 2004
    Messages:
    74
    :eek: Well I ran Spybot, Adaware, Nortons and came up with alot of garbage. I even ran CWS even though I didn't see a need for it other than something in my add/remove files called My Web Search-cool screensavers that I can't seem to remove (needless to say CWS wouldn't even kill it). There are a couple files and whatnot I keep deleting only to find, after a reboot, they have returned. I know I am still doing it wrong and now I beg for help!!! lol

    Thank you in advance for reviewing.


    Logfile of HijackThis v1.97.7
    Scan saved at 5:39:53 PM, on 14/09/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\PROGRAM FILES\NORTON INTERNET SECURITY PROFESSIONAL\NISUM.EXE
    C:\PROGRAM FILES\NORTON INTERNET SECURITY PROFESSIONAL\CCPXYSVC.EXE
    C:\PROGRAM FILES\EXECUTIVE SOFTWARE\DISKEEPER\DKSERVICE.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\EFFICIENT NETWORKS\ENTERNET 300\APP\ENTERNET.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
    C:\WINDOWS\SYSTEM\HPZTSB04.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\EXCITE\PRVTMSGR\BIN\X8IMPIPE.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\MSN APPS\UPDATER\01.02.0002.1001\EN-CA\MSNAPPAU.EXE
    C:\PROGRAM FILES\WINAD CLIENT\WINAD.EXE
    C:\PROGRAM FILES\WEB_REBATES\WEBREBATES0.EXE
    C:\WINDOWS\SYSTEM\HJUMOUKA.EXE
    C:\WINDOWS\SYSTEM\CTFMON.EXE
    C:\PROGRAM FILES\WINAD CLIENT\WINCLT.EXE
    C:\WINDOWS\APPLICATION DATA\NCTT.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\WEB_REBATES\WEBREBATES1.EXE
    C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
    C:\MY DOCUMENTS\REPAIR PROGS\HIJACK THIS\HIJACKTHIS.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Yahoo! Canada Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
    O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN TOOLBAR\01.01.1601.0\MSGR.EN-US.EN-CA\MSNTB.DLL
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\nprotect.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
    O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [Excite Private Messenger Pipe] C:\Program Files\Excite\PrvtMsgr\bin\x8IMPipe.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
    O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.02.0002.1001\en-ca\msnappau.exe"
    O4 - HKLM\..\Run: [Winad Client] C:\PROGRAM FILES\WINAD CLIENT\WINAD.EXE
    O4 - HKLM\..\Run: [WebRebates0] "C:\PROGRAM FILES\WEB_REBATES\WebRebates0.exe"
    O4 - HKLM\..\Run: [bimrigewi] C:\WINDOWS\SYSTEM\hjumouka.exe
    O4 - HKLM\..\Run: [ALCHEM] C:\WINDOWS\ALCHEM.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
    O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\nprotect.exe
    O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
    O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    O4 - HKLM\..\RunServices: [Nisum] C:\Program Files\Norton Internet Security Professional\NISUM.EXE
    O4 - HKLM\..\RunServices: [ccPxySvc] C:\PROGRA~1\NORTON~3\CCPXYSVC.EXE
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [DkService] C:\Program Files\Executive Software\Diskeeper\DkService.exe
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - HKCU\..\Run: [Atlu] C:\WINDOWS\Application Data\nctt.exe
    O4 - Startup: PowerReg Scheduler V3.exe
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Web Rebates - file://C:\PROGRAM FILES\WEB_REBATES\Sy1150\Tp1150\scri1150a.htm
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
    O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37989.3836342593
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...b99933536261:5384e68ecedbe601989f3130ba048162
     
  2. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    A new version of Hijack This has been released so get rid of the old one and Click here to download the new one, come back here and post the log from it.
     
  3. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Before you post the next log go to Add/Remove programs and uninstall WINAD CLIENT and WEB_REBATES.

    Restart your computer and then scan with the new version of Hijack This and post that log.
     
  4. lizamp2001

    lizamp2001 Thread Starter

    Joined:
    Apr 19, 2004
    Messages:
    74
    Okay, loaded the newer version of Hijack and here is the most current log.

    Logfile of HijackThis v1.98.2
    Scan saved at 7:01:21 PM, on 14/09/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\PROGRAM FILES\NORTON INTERNET SECURITY PROFESSIONAL\NISUM.EXE
    C:\PROGRAM FILES\NORTON INTERNET SECURITY PROFESSIONAL\CCPXYSVC.EXE
    C:\PROGRAM FILES\EXECUTIVE SOFTWARE\DISKEEPER\DKSERVICE.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\EFFICIENT NETWORKS\ENTERNET 300\APP\ENTERNET.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
    C:\WINDOWS\SYSTEM\HPZTSB04.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\EXCITE\PRVTMSGR\BIN\X8IMPIPE.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\MSN APPS\UPDATER\01.02.0002.1001\EN-CA\MSNAPPAU.EXE
    C:\WINDOWS\SYSTEM\HJUMOUKA.EXE
    C:\WINDOWS\SYSTEM\CTFMON.EXE
    C:\WINDOWS\APPLICATION DATA\NCTT.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\EXCITE\PRVTMSGR\BIN\X8PLAY.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\YNAZIX2J\HIJACKTHIS[1].EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: twaintecObj Class - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Yahoo! Canada Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
    O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN TOOLBAR\01.01.1601.0\MSGR.EN-US.EN-CA\MSNTB.DLL
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\nprotect.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
    O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [Excite Private Messenger Pipe] C:\Program Files\Excite\PrvtMsgr\bin\x8IMPipe.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
    O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.02.0002.1001\en-ca\msnappau.exe"
    O4 - HKLM\..\Run: [Winad Client] C:\PROGRAM FILES\WINAD CLIENT\WINAD.EXE
    O4 - HKLM\..\Run: [bimrigewi] C:\WINDOWS\SYSTEM\hjumouka.exe
    O4 - HKLM\..\Run: [ALCHEM] C:\WINDOWS\ALCHEM.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
    O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\nprotect.exe
    O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
    O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    O4 - HKLM\..\RunServices: [Nisum] C:\Program Files\Norton Internet Security Professional\NISUM.EXE
    O4 - HKLM\..\RunServices: [ccPxySvc] C:\PROGRA~1\NORTON~3\CCPXYSVC.EXE
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [DkService] C:\Program Files\Executive Software\Diskeeper\DkService.exe
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - HKCU\..\Run: [Atlu] C:\WINDOWS\Application Data\nctt.exe
    O4 - Startup: PowerReg Scheduler V3.exe
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
    O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
    O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...b99933536261:5384e68ecedbe601989f3130ba048162
     
  5. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Go to Add/Remove programs and uninstall WINAD CLIENT and WEB_REBATES.

    Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

    O2 - BHO: twaintecObj Class - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL

    O4 - HKLM\..\Run: [Winad Client] C:\PROGRAM FILES\WINAD CLIENT\WINAD.EXE

    O4 - HKLM\..\Run: [bimrigewi] C:\WINDOWS\SYSTEM\hjumouka.exe

    O4 - HKLM\..\Run: [ALCHEM] C:\WINDOWS\ALCHEM.exe

    O4 - HKCU\..\Run: [Atlu] C:\WINDOWS\Application Data\nctt.exe

    O4 - Startup: PowerReg Scheduler V3.exe

    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...89f3130ba048162


    Restart to safe mode.

    How to start your computer in safe mode

    First in safe mode click on My Computer then go to View > Folder Options. Click on the "View" tab and make sure "Show all files" is ticked and uncheck "Hide file extensions for known file types". Click "Like Current Folder" then click "Apply" then "OK"

    Now find and delete these files:

    C:\WINDOWS\SYSTEM\hjumouka.exe
    C:\WINDOWS\Application Data\nctt.exe
    C:\WINDOWS\ALCHEM.exe

    Delete this folder:

    C:\PROGRAM FILES\WINAD CLIENT

    Empty the recycle bin.
     
  6. lizamp2001

    lizamp2001 Thread Starter

    Joined:
    Apr 19, 2004
    Messages:
    74
    Here is, what I hope will be, a clean log. Thank you again so much for your help and patience!

    Logfile of HijackThis v1.98.2
    Scan saved at 8:34:54 PM, on 14/09/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\PROGRAM FILES\NORTON INTERNET SECURITY PROFESSIONAL\NISUM.EXE
    C:\PROGRAM FILES\NORTON INTERNET SECURITY PROFESSIONAL\CCPXYSVC.EXE
    C:\PROGRAM FILES\EXECUTIVE SOFTWARE\DISKEEPER\DKSERVICE.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\EFFICIENT NETWORKS\ENTERNET 300\APP\ENTERNET.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
    C:\WINDOWS\SYSTEM\HPZTSB04.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\EXCITE\PRVTMSGR\BIN\X8IMPIPE.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\MSN APPS\UPDATER\01.02.0002.1001\EN-CA\MSNAPPAU.EXE
    C:\WINDOWS\SYSTEM\CTFMON.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\MY DOCUMENTS\REPAIR PROGS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Yahoo! Canada Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
    O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN TOOLBAR\01.01.1601.0\MSGR.EN-US.EN-CA\MSNTB.DLL
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\nprotect.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
    O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [Excite Private Messenger Pipe] C:\Program Files\Excite\PrvtMsgr\bin\x8IMPipe.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
    O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.02.0002.1001\en-ca\msnappau.exe"
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
    O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\nprotect.exe
    O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
    O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    O4 - HKLM\..\RunServices: [Nisum] C:\Program Files\Norton Internet Security Professional\NISUM.EXE
    O4 - HKLM\..\RunServices: [ccPxySvc] C:\PROGRA~1\NORTON~3\CCPXYSVC.EXE
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [DkService] C:\Program Files\Executive Software\Diskeeper\DkService.exe
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
    O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
    O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
     
  7. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Clean! (y)

    Check this out for info on how to tighten your security settings and some good free tools to help prevent this from happening again.
     
  8. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/273597

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice