1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved hyjackthis

Discussion in 'Virus & Other Malware Removal' started by merginsmama, Apr 28, 2004.

Unmark Solved
Thread Status:
Not open for further replies.
Advertisement
  1. merginsmama

    merginsmama Guest Thread Starter

    I have alot of stuff running in the background and my computer seems kinda slow. Didn't know if I need to do anything about it. I have ran scan disk and defragmenter. But still seems to hang up on me.
     
  2. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    114,429
    Hi and welcome to TSG,

    Was it your intention to post a Hijack This scan log?

    Cookie
     
  3. merginsmama

    merginsmama Guest Thread Starter

    Yes I did
    but I am not sure how to do it.
     
  4. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Once you have made the scan just save the scanlog. Then with it open select Edit > Select All > Edit > Copy.

    The entire text should highlight and copy to the clipboard. Then just right click on a reply window here and select "paste". The entire text of the log should appear.
     
  5. merginsmama

    merginsmama Guest Thread Starter

    Logfile of HijackThis v1.94.0
    Scan saved at 8:20:57 PM, on 4/28/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=file://C:\WINDOWS\SYSTEM/left.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=www.cox.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.couldnotfind.com/search_page.html?&account_id=135343
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default)=about:blank
    R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
    R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
    R3 - URLSearchHook: (no name) - {4FC95EDD-4796-4966-9049-29649C80111D} - (no file)
    O2 - BHO: (no name) - {0DDBB570-0396-44C9-986A-8F6F61A51C2F} - C:\WINDOWS\SYSTEM\MSIEFR40.DLL
    O2 - BHO: (no name) - {087173EF-9829-4F49-8340-A524177D3F60} - C:\WINDOWS\SYSTEM\INETP60.DLL
    O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [bpcpost.exe] C:\WINDOWS\SYSTEM\bpcpost.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [AutoUpdater] c:\PROGRA~1\AUTOUP~1\AUTOUP~1.EXE
    O4 - HKLM\..\Run: [Dpi] C:\PROGRAM FILES\COMMON FILES\DPI\DPI.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [Rundll32_7] rundll32.exe C:\WINDOWS\SYSTEM\MSIEFR40.DLL,DllRunServer
    O4 - HKLM\..\Run: [BELT] C:\WINDOWS\BELT.exe
    O4 - HKLM\..\Run: [Rundll16] C:\WINDOWS\RUNDLL16.EXE
    O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\UPTODATE.EXE
    O4 - HKLM\..\Run: [UpdateStats] C:\Program Files\Media\Media\UpdateStats.exe
    O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\SYSTEM\STLBDIST.DLL,DllRunMain
    O4 - HKLM\..\Run: [Rundll32_8] rundll32.exe C:\WINDOWS\SYSTEM\INETP60.DLL,DllRunServer
    O4 - HKLM\..\Run: [Norton Antivirus AV] C:\WINDOWS\FVProtect.exe
    O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
    O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
    O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Terminate Popup] C:\PROGRAM FILES\FREE-POPUP-KILLER\FPUK.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
    O4 - Startup: CheckIt 86.lnk = C:\Program Files\CheckIt\86\CheckIt86.exe
    O8 - Extra context menu item: Add To CheckIt &86 Trust List - C:\PROGRA~1\CHECKIT\86\AddToTrustList.js
    O9 - Extra 'Tools' menuitem: CheckIt &86 (HKLM)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: AIM (HKLM)
    O15 - Trusted Zone: http://free.aol.com
    O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/bingame/rock/default/popcaploader1.cab
    O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} (WTDMMPVersion Class) - http://install.wildtangent.com/bgn/partners/aolim/install.cab
    O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://www.stop-sign.com/pub/download/stop-sign_pop.cab
    O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
    O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/FON19106/flash.cab
    O16 - DPF: {20000273-8230-4DD4-BE4F-6889D1E74167} - http://download2.abetterinternet.com/download/cabs/FON19106/payload2.cab
    O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
    O16 - DPF: {B160422D-0A48-11D4-BD9B-00A0C9B0AB7B} (Download Class) - http://expressit.broderbund.com/plugin/Download.cab
    O16 - DPF: {4C470CD2-7394-11D4-9691-00D0B707528C} (Upload Class) - http://www.expressit.com/plugin/UpldPlug.cab
    O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create & Print ActiveX Plug-in) - http://www.imgag.com/cp/install/AxCtp.cab
    O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://photo.walmart.com/photo/upload/XUpload.ocx
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38076.2515740741
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://usercenter.cox.net/rsuite/sdccommon/asp/cx_tgctlcm.jsp
    O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
     
  6. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    114,429
    Yes, you did it right but unfortunately that's a very old version of Hijack This.

    Please download the latest one, v1.97.7 at this link and post the log again.

    http://www.sherrylynn.us/HijackThis.exe

    Cookie
     
  7. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    114,429
    Actually, you cut off part of the log that shows the running processes.

    Next time once you've saved the log, click on edit - select all - copy - paste into your post.

    Cookie
     
  8. merginsmama

    merginsmama Guest Thread Starter

    Logfile of HijackThis v1.97.7
    Scan saved at 7:08:47 AM, on 4/29/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\COMMON FILES\DPI\DPI.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\RUNDLL16.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\FVPROTECT.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\COMMON FILES\UPDMGR\UPDMGR.EXE
    C:\PROGRAM FILES\AIM\AIM.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\PROGRAM FILES\CHECKIT\86\CHECKIT86.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\TEMP\FDA\HIJACKTHIS.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\SYSTEM/left.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.cox.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=135343
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://hamptonroads.cox.net/
    R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
    R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
    R3 - URLSearchHook: (no name) - {4FC95EDD-4796-4966-9049-29649C80111D} - (no file)
    O2 - BHO: (no name) - {0DDBB570-0396-44C9-986A-8F6F61A51C2F} - C:\WINDOWS\SYSTEM\MSIEFR40.DLL
    O2 - BHO: (no name) - {087173EF-9829-4F49-8340-A524177D3F60} - C:\WINDOWS\SYSTEM\INETP60.DLL
    O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [bpcpost.exe] C:\WINDOWS\SYSTEM\bpcpost.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [AutoUpdater] c:\PROGRA~1\AUTOUP~1\AUTOUP~1.EXE
    O4 - HKLM\..\Run: [Dpi] C:\PROGRAM FILES\COMMON FILES\DPI\DPI.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [Rundll32_7] rundll32.exe C:\WINDOWS\SYSTEM\MSIEFR40.DLL,DllRunServer
    O4 - HKLM\..\Run: [BELT] C:\WINDOWS\BELT.exe
    O4 - HKLM\..\Run: [Rundll16] C:\WINDOWS\RUNDLL16.EXE
    O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\UPTODATE.EXE
    O4 - HKLM\..\Run: [UpdateStats] C:\Program Files\Media\Media\UpdateStats.exe
    O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\SYSTEM\STLBDIST.DLL,DllRunMain
    O4 - HKLM\..\Run: [Rundll32_8] rundll32.exe C:\WINDOWS\SYSTEM\INETP60.DLL,DllRunServer
    O4 - HKLM\..\Run: [Norton Antivirus AV] C:\WINDOWS\FVProtect.exe
    O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
    O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
    O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Terminate Popup] C:\PROGRAM FILES\FREE-POPUP-KILLER\FPUK.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
    O4 - Startup: CheckIt 86.lnk = C:\Program Files\CheckIt\86\CheckIt86.exe
    O8 - Extra context menu item: Add To CheckIt &86 Trust List - C:\PROGRA~1\CHECKIT\86\AddToTrustList.js
    O9 - Extra 'Tools' menuitem: CheckIt &86 (HKLM)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: AIM (HKLM)
    O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/bingame/rock/default/popcaploader1.cab
    O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} (WTDMMPVersion Class) - http://install.wildtangent.com/bgn/partners/aolim/install.cab
    O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://www.stop-sign.com/pub/download/stop-sign_pop.cab
    O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
    O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/FON19106/flash.cab
    O16 - DPF: {20000273-8230-4DD4-BE4F-6889D1E74167} - http://download2.abetterinternet.com/download/cabs/FON19106/payload2.cab
    O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
    O16 - DPF: {B160422D-0A48-11D4-BD9B-00A0C9B0AB7B} (Download Class) - http://expressit.broderbund.com/plugin/Download.cab
    O16 - DPF: {4C470CD2-7394-11D4-9691-00D0B707528C} (Upload Class) - http://www.expressit.com/plugin/UpldPlug.cab
    O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create & Print ActiveX Plug-in) - http://www.imgag.com/cp/install/AxCtp.cab
    O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://photo.walmart.com/photo/upload/XUpload.ocx
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38076.2515740741
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://usercenter.cox.net/rsuite/sdccommon/asp/cx_tgctlcm.jsp
    O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
     
  9. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Since you have such a badly compromised system I'm going to move the thread to the Security forum. And rather than give you detailed manual cleaning instructions at this time, let's reserve that until you have run a few systematic detection and cleanup tools.

    Start with the CoolWebShredder, CWShredder.exe available below:

    http://www.spywareinfo.com/~merijn/downloads.html

    Run it and have it "fix" problems then reboot.

    >> next you need to install, UPDATE, and run full scans with either Ad-Aware or Spybot, or preferably both. After having them delete suspicious files, reboot and post a new Scanlog.

    Please read and follow the instructions accompanying these links:

    Spybot Instructions and Download
    Ad-Aware Home Page and Ad-Aware 6: Reference Guide by Winchester73
     
  10. merginsmama

    merginsmama Guest Thread Starter

    I ran spybot and ad aware.



    Logfile of HijackThis v1.94.0
    Scan saved at 12:17:36 PM, on 4/29/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=file://C:\WINDOWS\SYSTEM/left.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=www.cox.net
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default)=about:blank
    R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
    R3 - URLSearchHook: (no name) - {4FC95EDD-4796-4966-9049-29649C80111D} - (no file)
    O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
    O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - (no file)
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [bpcpost.exe] C:\WINDOWS\SYSTEM\bpcpost.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [AutoUpdater] c:\PROGRA~1\AUTOUP~1\AUTOUP~1.EXE
    O4 - HKLM\..\Run: [Dpi] C:\PROGRAM FILES\COMMON FILES\DPI\DPI.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [Norton Antivirus AV] C:\WINDOWS\FVProtect.exe
    O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
    O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Terminate Popup] C:\PROGRAM FILES\FREE-POPUP-KILLER\FPUK.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
    O4 - Startup: CheckIt 86.lnk = C:\Program Files\CheckIt\86\CheckIt86.exe
    O8 - Extra context menu item: Add To CheckIt &86 Trust List - C:\PROGRA~1\CHECKIT\86\AddToTrustList.js
    O9 - Extra 'Tools' menuitem: CheckIt &86 (HKLM)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: AIM (HKLM)
    O15 - Trusted Zone: http://free.aol.com
    O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/bingame/rock/default/popcaploader1.cab
    O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} (WTDMMPVersion Class) - http://install.wildtangent.com/bgn/partners/aolim/install.cab
    O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://www.stop-sign.com/pub/download/stop-sign_pop.cab
    O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
    O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
    O16 - DPF: {B160422D-0A48-11D4-BD9B-00A0C9B0AB7B} (Download Class) - http://expressit.broderbund.com/plugin/Download.cab
    O16 - DPF: {4C470CD2-7394-11D4-9691-00D0B707528C} (Upload Class) - http://www.expressit.com/plugin/UpldPlug.cab
    O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create & Print ActiveX Plug-in) - http://www.imgag.com/cp/install/AxCtp.cab
    O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://photo.walmart.com/photo/upload/XUpload.ocx
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38076.2515740741
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://usercenter.cox.net/rsuite/sdccommon/asp/cx_tgctlcm.jsp
    O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
     
  11. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    114,429
    Your back with the old version of Hijack This again. Please rescan with the latest version and post another log.

    Cookie
     
  12. merginsmama

    merginsmama Guest Thread Starter

    Logfile of HijackThis v1.97.7
    Scan saved at 7:17:58 PM, on 4/29/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\PROGRAM FILES\COMMON FILES\DPI\DPI.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\CHECKIT\86\CHECKIT86.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\PROGRAM FILES\AIM\AIM.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\TEMP\FDA\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\SYSTEM/left.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.cox.net
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://hamptonroads.cox.net/
    R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
    R3 - URLSearchHook: (no name) - {4FC95EDD-4796-4966-9049-29649C80111D} - (no file)
    O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
    O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - (no file)
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [bpcpost.exe] C:\WINDOWS\SYSTEM\bpcpost.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [AutoUpdater] c:\PROGRA~1\AUTOUP~1\AUTOUP~1.EXE
    O4 - HKLM\..\Run: [Dpi] C:\PROGRAM FILES\COMMON FILES\DPI\DPI.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [Norton Antivirus AV] C:\WINDOWS\FVProtect.exe
    O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
    O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Terminate Popup] C:\PROGRAM FILES\FREE-POPUP-KILLER\FPUK.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
    O4 - HKLM\..\RunOnce: [SpyBotSnD] "C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE" /autocheck
    O4 - Startup: CheckIt 86.lnk = C:\Program Files\CheckIt\86\CheckIt86.exe
    O8 - Extra context menu item: Add To CheckIt &86 Trust List - C:\PROGRA~1\CHECKIT\86\AddToTrustList.js
    O9 - Extra 'Tools' menuitem: CheckIt &86 (HKLM)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: AIM (HKLM)
    O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/bingame/rock/default/popcaploader1.cab
    O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} (WTDMMPVersion Class) - http://install.wildtangent.com/bgn/partners/aolim/install.cab
    O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://www.stop-sign.com/pub/download/stop-sign_pop.cab
    O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
    O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
    O16 - DPF: {B160422D-0A48-11D4-BD9B-00A0C9B0AB7B} (Download Class) - http://expressit.broderbund.com/plugin/Download.cab
    O16 - DPF: {4C470CD2-7394-11D4-9691-00D0B707528C} (Upload Class) - http://www.expressit.com/plugin/UpldPlug.cab
    O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create & Print ActiveX Plug-in) - http://www.imgag.com/cp/install/AxCtp.cab
    O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://photo.walmart.com/photo/upload/XUpload.ocx
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38076.2515740741
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://usercenter.cox.net/rsuite/sdccommon/asp/cx_tgctlcm.jsp
    O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
     
  13. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Okedoke, now we do the manual cleaning.

    Check the following entries in the HijackThis Scanlog, close all browser windows, and click "fix checked":

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\SYSTEM/left.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank

    R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
    R3 - URLSearchHook: (no name) - {4FC95EDD-4796-4966-9049-29649C80111D} - (no file)
    O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
    O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - (no file)

    O4 - HKLM\..\Run: [AutoUpdater] c:\PROGRAM FILES\AUTOUPDATER\AUTOUP~1.EXE
    O4 - HKLM\..\Run: [Dpi] C:\PROGRAM FILES\COMMON FILES\DPI\DPI.EXE

    O4 - HKLM\..\Run: [Norton Antivirus AV] C:\WINDOWS\FVProtect.exe

    see: http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

    There is a removal tool available from Symantec here, which should also be run: http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

    O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun

    O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe

    O4 - HKCU\..\Run: [Terminate Popup] C:\PROGRAM FILES\FREE-POPUP-KILLER\FPUK.exe

    Note: Program Name: Terminate Popup
    Executable Name: FPUK.exe ZPU.exe
    Required: NO!! Virus, spyware, or resource hog
    Comments: Free Popup Killer - foistware proven to install the Regsvc32 homepage hijacker.*

    ref: http://www.lafn.org/webconnect/mentor/startup/PENINDEX.HTM

    >>> after fixing, reboot and find and delete the files or folders bolded above. Then post a fresh scanlog.
     
  14. merginsmama

    merginsmama Guest Thread Starter

    Logfile of HijackThis v1.97.7
    Scan saved at 9:07:26 PM, on 4/29/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\AIM\AIM.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\PROGRAM FILES\CHECKIT\86\CHECKIT86.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\TEMP\FDA\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.cox.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://hamptonroads.cox.net/
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [bpcpost.exe] C:\WINDOWS\SYSTEM\bpcpost.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
    O4 - Startup: CheckIt 86.lnk = C:\Program Files\CheckIt\86\CheckIt86.exe
    O8 - Extra context menu item: Add To CheckIt &86 Trust List - C:\PROGRA~1\CHECKIT\86\AddToTrustList.js
    O9 - Extra 'Tools' menuitem: CheckIt &86 (HKLM)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: AIM (HKLM)
    O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/bingame/rock/default/popcaploader1.cab
    O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} (WTDMMPVersion Class) - http://install.wildtangent.com/bgn/partners/aolim/install.cab
    O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://www.stop-sign.com/pub/download/stop-sign_pop.cab
    O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
    O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
    O16 - DPF: {B160422D-0A48-11D4-BD9B-00A0C9B0AB7B} (Download Class) - http://expressit.broderbund.com/plugin/Download.cab
    O16 - DPF: {4C470CD2-7394-11D4-9691-00D0B707528C} (Upload Class) - http://www.expressit.com/plugin/UpldPlug.cab
    O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create & Print ActiveX Plug-in) - http://www.imgag.com/cp/install/AxCtp.cab
    O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://photo.walmart.com/photo/upload/XUpload.ocx
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38076.2515740741
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://usercenter.cox.net/rsuite/sdccommon/asp/cx_tgctlcm.jsp
    O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
     
  15. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    It looks like you did quite well -- however this one seems to have escaped the axe:

    O4 - HKLM\..\Run: [bpcpost.exe] C:\WINDOWS\SYSTEM\bpcpost.exe

    Check and fix that with the HijackThis Scanlog. If it hasn't been deleted (you would have received a startup error), reboot and delete it. Then give us one more Scanlog to confirm it has stayed deleted.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/224661

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice