Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.

Please help, trying to figure out hijack

In Progress 
2K views 1 reply 2 participants last post by  askey127 
#1 ·
I recently had to use my recovery disk as I have had major problems with missing components. Now I don't have enough drive space so something is wrong, any help would be appreciated. Thanks to any help given. I am not to familiar with computer stuff, just use it mainly for pc games. Looks like some sites that shouldn't be there and wonder how they got there.

Logfile of HijackThis v1.97.7
Scan saved at 12:31:06 AM, on 5/1/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\SYSTEM\USBMMKBD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\LOGITECH\IMAGESTUDIO\LOGITRAY.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE
C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BACKWEB-8876480.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\938HON4F\HIJACKTHIS[1].EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.canada.com/windsor
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/p/hp/us/?http://hp.yahoo.com
O1 - Hosts: 64.237.57.170 www.fomenko.ru #n?À?N@ ?N@ . N@ 4)@ <)@ t(@ ?(@ °(@
O1 - Hosts: 64.237.57.170 fomenko.ru #EDivByZero?ØN@ØN@ . N@ 4)@ <)@ t(@ ?(@ °(@
O1 - Hosts: 64.237.57.170 www.qwe.ru #ERangeError$O@ $O@ . N@ 4)@ <)@ t(@ ?(@ °(@
O1 - Hosts: 64.237.57.170 qwe.ru # .EIntOverflow?@ tO@tO@ . .M@ 4)@ <)@ t(@ ?(@ °(@
O1 - Hosts: 64.237.57.170 www.killer.ru #EMathError?ÀO@ ÀO@ . 4O@ 4)@ <)@ t(@ ?(@ °(@
O1 - Hosts: 64.237.57.170 killer.ru #EMathError?ÀO@ ÀO@ . 4O@ 4)@ <)@ t(@ ?(@ °(@
O1 - Hosts: 64.237.57.170 www.girlfriend.ru #EInvalidOp?.P@ .P@ . 4O@ 4)@ <)@ t(@ ?(@ °(@
O1 - Hosts: 64.237.57.170 girlfriend.ru #EZeroDivideXP@ XP@ . 4O@ 4)@ <)@ t(@ ?(@ °(@
O1 - Hosts: 64.237.57.170 www.lovers.ru #EOverflow?À¤P@ ¤P@ . 4O@ 4)@ <)@ t(@ ?(@ °(@
O1 - Hosts: 64.237.57.170 lovers.ru #EUnderflow?ðP@ ðP@ . .M@
O1 - Hosts: 64.237.57.170 www.bum.ru #EConvertError?ÀàQ@ àQ@ . .M@ 4)@ <)@ t(@ ?(@ °(@
O1 - Hosts: 64.237.57.170 bum.ru #EPrivilege??R@ ?R@ . .M@ 4)@ <)@ t(@ ?(@ °(@ .EStackOverflow?ÐR@
O1 - Hosts: 64.237.57.170 www.pupsik.ru #EPrivilege??R@ ?R@ . .M@ 4)@ <)@ t(@ ?(@ °(@ .EStackOverflow?ÐR@
O1 - Hosts: 64.237.57.170 pupsik.ru #EPrivilege??R@ ?R@ . .M@ 4)@ <)@ t(@ ?(@ °(@ .EStackOverflow?ÐR@
O1 - Hosts: 64.237.57.170 www.devil.ru #ÐR@ . .M@ 4)@ <)@ t(@ ?(@ °(@ EControlC?À.S@
O1 - Hosts: 64.237.57.170 devil.ru #ÐR@ . .M@ 4)@ <)@ t(@ ?(@ °(@ EControlC?À.S@
O1 - Hosts: 64.237.57.170 www.persik.ru #ÐR@ . .M@ 4)@ <)@ t(@ ?(@ °(@EControlC?À.S@
O1 - Hosts: 64.237.57.171 persik.ru # ÐR@ . .M@ 4)@ <)@ t(@ ?(@ °(@EControlC?À.S@
O1 - Hosts: 64.237.57.171 www.etop.ru #.M@ 4)@ <)@ t(@ ?(@ °(@EInOutError@N@@N@ . .M@ 4)@ <)@ t(@ ?(@ °(@ EIntEr
O1 - Hosts: 64.237.57.171 etop.ru #.M@ 4)@ <)@ t(@ ?(@ °(@EInOutError@N@@N@ . .M@ 4)@ <)@ t(@ ?(@ °(@ EIntEr
O1 - Hosts: 64.237.57.171 omen.ru #EConvertError?ÀàQ@ àQ@ . .M@ 4)@ <)@ t(@ ?(@ °(@
O1 - Hosts: 64.237.57.171 www.omen.ru #EInvalidOp?.P@ .P@ . 4O@ 4)@ <)@ t(@ ?(@ °(@
O1 - Hosts: 64.237.57.171 www.uxi.ru #EInvalidOp?.P@ .P@ . 4O@ 4)@ <)@ t(@ ?(@ °(@
O1 - Hosts: 64.237.57.171 uxi.ru #EInvalidOp?.P@ .P@ . 4O@ 4)@ <)@ t(@ ?(@ °(@
O1 - Hosts: 64.237.57.171 www.pornushka.ru #EInvalidOp?.P@ .P@ . 4O@ 4)@ <)@ t(@ ?(@ °(@
O1 - Hosts: 64.237.57.171 pornushka.ru #EInvalidOp?.P@ .P@ . 4O@ 4)@ <)@ t(@ ?(@ °(@
O1 - Hosts: 64.237.57.171 www.isex.ru #EInvalidOp?.P@ .P@ . 4O@ 4)@ <)@ t(@ ?(@ °(@
O1 - Hosts: 64.237.57.171 isex.ru #EInvalidOp?.P@ .P@ . 4O@ 4)@ <)@ t(@ ?(@ °(@
O1 - Hosts: 64.237.57.171 www.sexymafia.ru #EInvalidOp?.P@ .P@ . 4O@ 4)@ <)@ t(@ ?(@ °(@
O1 - Hosts: 64.237.57.171 sexymafia.ru #EInvalidOp?.P@ .P@ . 4O@ 4)@ <)@ t(@ ?(@ °(@
O1 - Hosts: 64.237.57.171 www.erotica.ru #EInvalidOp?.P@ .P@ . 4O@ 4)@ <)@ t(@ ?(@ °(@
O1 - Hosts: 64.237.57.171 erotica.ru #EInvalidOp?.P@ .P@ . 4O@ 4)@ <)@ t(@ ?(@ °(@
O1 - Hosts: 64.237.57.171 www.porno.ru #EInvalidOp?.P@ .P@ . 4O@ 4)@ <)@ t(@ ?(@ °(@
O1 - Hosts: 64.237.57.171 porno.ru #EInvalidOp?.P@ .P@ . 4O@ 4)@ <)@ t(@ ?(@ °(@
O1 - Hosts: 64.237.57.172 seksfoto.net #EInvalidOp?.P@ .P@ . 4O@ 4)@ <)@ t(@ ?(@ °(@
O1 - Hosts: 64.237.57.172 www.seksfoto.net #EInvalidOp?.P@ .P@ . 4O@ 4)@ <)@ t(@ ?(@ °(@
O1 - Hosts: 64.237.57.172 erophoto.ru #EInvalidOp?.P@ .P@ . 4O@ 4)@ <)@ t(@ ?(@ °(@
O1 - Hosts: 64.237.57.172 www.erophoto.ru #EInvalidOp?.P@ .P@ . 4O@ 4)@ <)@ t(@ ?(@ °(@
O1 - Hosts: 64.237.57.172 youngteensfuck.com #EOverflow?À¤P@ ¤P@ . 4O@ 4)@ <)@ t(@ ?(@ °(@
O1 - Hosts: 64.237.57.172 www.youngteensfuck.com #EOverflow?À¤P@ ¤P@ . 4O@ 4)@ <)@ t(@ ?(@ °(@
O1 - Hosts: 64.237.57.172 adult-top.ru #.M@ 4)@ <)@ t(@ ?(@ °(@EInOutError@N@@N@ . .M@ 4)@ <)@ t(@ ?(@ °(@ EIntEr
O1 - Hosts: 64.237.57.172 www.adult-top.ru #.M@ 4)@ <)@ t(@ ?(@ °(@EInOutError@N@@N@ . .M@ 4)@ <)@ t(@ ?(@ °(@ EIntEr
O1 - Hosts: 64.237.57.172 maxtop.ru #EConvertError?ÀàQ@ àQ@ . .M@ 4)@ <)@ t(@ ?(@ °(@
O1 - Hosts: 64.237.57.172 www.maxtop.ru #EInvalidOp?.P@ .P@ . 4O@ 4)@ <)@ t(@ ?(@ °(@
O1 - Hosts: 64.237.57.172 www.teens-trade.com #EConvertError?ÀàQ@ àQ@ . .M@ 4)@ <)@ t(@ ?(@ °(@
O1 - Hosts: 64.237.57.172 teens-trade.ru #EInvalidOp?.P@ .P@ . 4O@ 4)@ <)@ t(@ ?(@ °(@
O1 - Hosts: 207.176.39.177 mail.ru #EInvalidOp?.P@ .P@ . 4O@ 4)@ <)@ t(@ ?(@ °(@
O1 - Hosts: 207.176.39.177 www.mail.ru #EInvalidOp?.P@ .P@ . 4O@ 4)@ <)@ t(@ ?(@ °(@
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN4\YCOMP5_3_16_0.DLL
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN4\YCOMP5_3_16_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [USBMMKBD] usbmmkbd.exe
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LVComs] c:\windows\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IncredimailDownloader] C:\WINDOWS\DOWNLOADED PROGRAM FILES\CONFLICT.1\IMLOADER.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] c:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] c:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Encompass_ENCMONTR] C:\Program Files\Easy Internet\ENCMONTR.EXE
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRAM FILES\INCREDIMAIL\BIN\IncMail.exe /c
O4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
O4 - Startup: Updates from HP.lnk = C:\Program Files\BackWeb\BackWeb\Program\backweb.exe
O4 - Startup: HP Internet Center.lnk = C:\HP Internet\Surfboard\Surfbrd.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: RealGuide (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4353/mcfscan.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38105.6263657407
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab27571.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab27571.cab
 
See less See more
#2 ·
Hi jspencer 1985,

There is NO chance that a machine with windows 98 can be fixed, or made safe.
There are lots of reasons for this, almost all having to do with the age of the system.

Right now, you should get this machine OFFLINE (unplug the internet cable).
Anyone who feels like it could discover all your internet business from such an old, unprotected system.
Going forward , you should change every password for every account you have used while on this machine.

I don't know your personal situation, so I can't make any suggestion about how to proceed otherwise.

askey127
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top