1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Hijackthis log help appreciated before I kill my pc:(

Discussion in 'Virus & Other Malware Removal' started by peachez, Mar 12, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. peachez

    peachez Thread Starter

    Joined:
    Mar 12, 2005
    Messages:
    9
    Hello,
    I'm using win98se, and a set of jump leads. Getting all kinds of browser hijacks, pop ups and porn diallers. Have done the necessary with spybot but the blighters keep coming back on next reboot. Pretty please, could you take a look at this log file and tell me what I can nuke into oblivion? Thanks...

    Logfile of HijackThis v1.99.0
    Scan saved at 20:45:56, on 12/03/05
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\msgsrv.exe
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\TEXTBRIDGE CLASSIC 2.0\BIN\INSTANTACCESS.EXE
    C:\PQSC\PROGRAM\CPCTRAY.EXE
    C:\PROGRAM FILES\[email protected]\[email protected]
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
    C:\WINDOWS\SYSTEM\LEXBCES.EXE
    C:\PROGRAM FILES\BT YAHOO!\HELP\SMARTBRIDGE\MOTIVESB.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\SYSTEM\HAJIYH.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
    C:\WINDOWS\SYSTEM\LEXPPS.EXE
    C:\PROGRAM FILES\TEXTBRIDGE CLASSIC 2.0\EREG\REMIND32.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
    C:\WINDOWS\CALC.EXE
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\TEMP\ICD9.TMP\GAMES.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://edit.europe.yahoo.com/config/login?.intl=uk&.partner=bt-1&.done=http://bt.yahoo.com/?
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/...b/*http://uk.docs.yahoo.com/info/bt_side.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.bt.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: IEHelperObj Class - {6754A456-BAD9-11D4-93D3-00B0D03A2F91} - (no file)
    O2 - BHO: IEWebGuard Class - {1B77D30A-81C9-497A-8647-142F7511B1FB} - (no file)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\DLMAX.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
    O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
    O4 - HKLM\..\Run: [SecondChance] C:\PQSC\PROGRAM\CPCTray.exe
    O4 - HKLM\..\Run: [seticlient] C:\Program Files\[email protected]\[email protected] -min
    O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
    O4 - HKLM\..\Run: [DiskArella Clean Start] C:\PROGRAM FILES\da.exe /?CS
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [LexStart] lexstart.exe
    O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
    O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 205 ADSL Router\Adsl\dslagent.exe
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTYAHO~1\HELP\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [Pn3MyB] C:\ORMAGTPI.EXE
    O4 - HKLM\..\Run: [jav] C:\WINDOWS\jav.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [hajiyh] c:\windows\system\hajiyh.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [FARMMEXT] C:\WINDOWS\FARMMEXT.exe
    O4 - HKLM\..\Run: [ASDPLUGIN] C:\WINDOWS\SYSTEM\dsldbaccess.exe -N
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
    O4 - HKCU\..\Run: [Spyware Begone] C:\FREESCAN\FREESCAN.EXE -FastScan
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet
    O4 - Startup: reminder-ScanSoft Product Registration.lnk = C:\Program Files\TextBridge Classic 2.0\Ereg\REMIND32.EXE
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O10 - Broken Internet access because of LSP provider 'syswvnt.dll' missing
    O16 - DPF: {8EC18CE2-D7B4-11D2-88C8-006008A717FD} (NCSView Class) - http://www2.getmapping.com/ecwplugins/ncs.cab
    O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - http://www.riffinteractive.com/setup/RiffLick.cab
    O16 - DPF: {29C13B62-B9F7-4CD3-8CEF-0A58A1A99441} (MSN Chat Control 4.1) - http://fdl.msn.com/public/chat/msnchat41.cab
    O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
    O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
    O16 - DPF: {DD0D7B41-6AE3-42C6-B9F0-75BABEDDF665} (UKChatroomsClient.client) - http://ukchatrooms.net/UKChatroomsClient.CAB
    O16 - DPF: {3FC88C02-02A8-41DB-AD82-4090C9B531B4} (UKChatroomsClient.client) - http://ukchatrooms.net/UKChatroomsClient.CAB
    O16 - DPF: {6157C9BB-EE36-49DE-9816-9C27C61CFC37} (UKChatroomsClient.client) - http://ukchatrooms.net/UKChatroomsClient.CAB
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-18.cab
    O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.sc-server1.bt.com/broadband/MotivePreQual.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/199702195b7e43ea2e15/netzip/RdxIE601.cab
    O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
    O16 - DPF: {AD1936CB-657C-4B79-AD63-CBCBA1DD83CB} - http://dl.ask.co.uk/toolbars/vitoolbar/download/virgin-inst.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
    O16 - DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} - http://64.158.165.49/output/100039/uk/dbgames/dsldbaccess.exe
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
     
  2. Sponsor

  3. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi and Welcome to TSG> I have asked someone to look this over, they may ask you to submit some files for an exam. Don't do anything until you are instructed!
    Just want to be sure that if you have some new malware there it gets to those who make our antispyware/antivirus programs so it can be included for detection.
     
  4. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Hi peachez

    Welcome to TSG! :)

    Go here and download Ad-Aware SE.

    Install the program and launch it.

    First in the main window look in the bottom right corner and click on Check for updates now then click Connect and download the latest reference files.

    From main window :Click Start then under Select a scan Mode tick Perform full system scan.

    Next deselect Search for negligible risk entries.

    Now to scan just click the Next button.

    When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)

    Restart your computer.


    Also a new version of Hijack This has been released so get rid of the old one and Click here to download the new one, come back here and post the log from it after you run Adaware.
     
  5. peachez

    peachez Thread Starter

    Joined:
    Mar 12, 2005
    Messages:
    9
    Hello Mr Flrman1:)

    Well I did all of that. Not sure that I have run the ad-aware thing properly tho.' I selected everything at the end of the scan and whilst it told me it was deleting it all (got a little progress bar and everything) it all seemed to stall and eventually I had to close the program since there didn't seem to be any activity. So I rebooted and did the whole scan again (yawn) and got the same result with the program seeming to stall. Took a closer look and found that all the nasty items had been shoved in a quarantine folder. I aint touched it, honest! So I rebooted (again) and got myself a new version of Hijackthis! Here's the log. Should I still wear a bell around me neck and yell 'unclean!!!' ? I'm kind of fed up with being infested with nasties:(


    Logfile of HijackThis v1.99.1
    Scan saved at 16:09:14, on 13/03/05
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\msgsrv.exe
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\TEXTBRIDGE CLASSIC 2.0\BIN\INSTANTACCESS.EXE
    C:\PQSC\PROGRAM\CPCTRAY.EXE
    C:\PROGRAM FILES\[email protected]\[email protected]
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
    C:\PROGRAM FILES\BT YAHOO!\HELP\SMARTBRIDGE\MOTIVESB.EXE
    C:\WINDOWS\SYSTEM\LEXBCES.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\WINDOWS\SYSTEM\HAJIYH.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\PROGRAM FILES\TEXTBRIDGE CLASSIC 2.0\EREG\REMIND32.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\LEXPPS.EXE
    C:\WINDOWS\CALC.EXE
    C:\PROGRAM FILES\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://edit.europe.yahoo.com/config/login?.intl=uk&.partner=bt-1&.done=http://bt.yahoo.com/?
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/...b/*http://uk.docs.yahoo.com/info/bt_side.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.bt.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: IEHelperObj Class - {6754A456-BAD9-11D4-93D3-00B0D03A2F91} - (no file)
    O2 - BHO: IEWebGuard Class - {1B77D30A-81C9-497A-8647-142F7511B1FB} - (no file)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\DLMAX.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
    O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
    O4 - HKLM\..\Run: [SecondChance] C:\PQSC\PROGRAM\CPCTray.exe
    O4 - HKLM\..\Run: [seticlient] C:\Program Files\[email protected]\[email protected] -min
    O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
    O4 - HKLM\..\Run: [DiskArella Clean Start] C:\PROGRAM FILES\da.exe /?CS
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [LexStart] lexstart.exe
    O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
    O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 205 ADSL Router\Adsl\dslagent.exe
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTYAHO~1\HELP\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [Pn3MyB] C:\ORMAGTPI.EXE
    O4 - HKLM\..\Run: [jav] C:\WINDOWS\jav.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [hajiyh] c:\windows\system\hajiyh.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [FARMMEXT] C:\WINDOWS\FARMMEXT.exe
    O4 - HKLM\..\Run: [ASDPLUGIN] C:\WINDOWS\SYSTEM\dsldbaccess.exe -N
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
    O4 - HKCU\..\Run: [Spyware Begone] C:\FREESCAN\FREESCAN.EXE -FastScan
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet
    O4 - Startup: reminder-ScanSoft Product Registration.lnk = C:\Program Files\TextBridge Classic 2.0\Ereg\REMIND32.EXE
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O10 - Broken Internet access because of LSP provider 'syswvnt.dll' missing
    O16 - DPF: {8EC18CE2-D7B4-11D2-88C8-006008A717FD} (NCSView Class) - http://www2.getmapping.com/ecwplugins/ncs.cab
    O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - http://www.riffinteractive.com/setup/RiffLick.cab
    O16 - DPF: {29C13B62-B9F7-4CD3-8CEF-0A58A1A99441} (MSN Chat Control 4.1) - http://fdl.msn.com/public/chat/msnchat41.cab
    O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
    O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
    O16 - DPF: {DD0D7B41-6AE3-42C6-B9F0-75BABEDDF665} (UKChatroomsClient.client) - http://ukchatrooms.net/UKChatroomsClient.CAB
    O16 - DPF: {3FC88C02-02A8-41DB-AD82-4090C9B531B4} (UKChatroomsClient.client) - http://ukchatrooms.net/UKChatroomsClient.CAB
    O16 - DPF: {6157C9BB-EE36-49DE-9816-9C27C61CFC37} (UKChatroomsClient.client) - http://ukchatrooms.net/UKChatroomsClient.CAB
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-18.cab
    O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.sc-server1.bt.com/broadband/MotivePreQual.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/199702195b7e43ea2e15/netzip/RdxIE601.cab
    O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
    O16 - DPF: {AD1936CB-657C-4B79-AD63-CBCBA1DD83CB} - http://dl.ask.co.uk/toolbars/vitoolbar/download/virgin-inst.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
    O16 - DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} - http://64.158.165.49/output/100039/uk/dbgames/dsldbaccess.exe
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
     
  6. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, Did you install and use AdAware SE personal edition, as flrman1 replied to you?
    I suggest strongly that you do that.

    First- you may have installed or someone may have, a program that monitors activity on the pc....called Winvestigator- when I find these, I always ask if you, or someone you know, installed this knowingly?

    It is commonly called a keylogger. It may or not be in Add/Remove Programs, and may or may not uninstall all the way. It may already have been uninstalled, but there seems to be a remnant still in Hijack log, so if you know you do not want this item, we will deal with it.
    IF this is a work computer your employer may have installed it- so I advise you first to check on just who put it there. It could have just come in with some other malware, so don't worry, it can be dealt with. SpyBot detects and removes Winvestigator, so it may already have been removed and seems to have been.

    The LSP entry in the HJT log shows it as "file missing"
    so, let's try this utility to see if it needs to be removed that way:

    http://www.bleepingcomputer.com/files/spyware/lspfix.zip

    Unzip the file and run lspfix.exe
    Put a check in the "I know what I am doing" box.
    In the window, see if any syswvnt.dll shows, and if so, move that and ONLY that file to the remove pane...and click Finish.

    If NO syswvnt.dll is shown> Click the "I know what I am doing" button, and do nothing else except click Finish.
    Go to the Control Panel, then Add/Remove Programs, and uninstall if found:

    SpywareBegone /freescan or similar.
    DLMax

    Run Hijackthis again, and put checks next to all of these in my list> then, click "Fix checked":


    O2 - BHO: IEHelperObj Class - {6754A456-BAD9-11D4-93D3-00B0D03A2F91} - (no file)
    O2 - BHO: IEWebGuard Class - {1B77D30A-81C9-497A-8647-142F7511B1FB} - (no file)
    O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\DLMAX.DLL

    O4 - HKLM\..\Run: [Pn3MyB] C:\ORMAGTPI.EXE
    O4 - HKLM\..\Run: [jav] C:\WINDOWS\jav.exe
    O4 - HKLM\..\Run: [hajiyh] c:\windows\system\hajiyh.exe
    O4 - HKLM\..\Run: [FARMMEXT] C:\WINDOWS\FARMMEXT.exe
    O4 - HKLM\..\Run: [ASDPLUGIN] C:\WINDOWS\SYSTEM\dsldbaccess.exe -N
    O4 - HKCU\..\Run: [Spyware Begone] C:\FREESCAN\FREESCAN.EXE -FastScan

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
    O16 - DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} - http://64.158.165.49/output/100039/...dsldbaccess.exe


    Now Boot to Safe Mode to do these steps:

    When you restart the computer, and as you first see text on screen, start tapping the F8 key, eventually you will see the startup menu, move the line to Safe Mode with your arrow key, and then hit Enter key once...give it plenty of time to get to the desktop.

    Do this:

    Open My Computer and hit View at the top, then Folder Options, then View again>> put a dot into "Show all Files" and take dot out of "Hide file extensions for known file types" and OK that.

    Now, open Windows Explorer, and navigate to the folders shown, and delete the files shown at the ends of lines:


    C:\WINDOWS\FARMMEXT.exe
    C:\WINDOWS\SYSTEM\dsldbaccess.exe -N
    c:\windows\system\hajiyh.exe
    C:\WINDOWS\DLMAX.DLL
    C:\FREESCAN\FREESCAN.EXE
    C:\ORMAGTPI.EXE

    And, delete the folder:
    C:\FREESCAN

    Now go Start>Run> Disk Cleanup

    Put checks into Temp and Temporary Internet Files, but NOT in the Recycle Bin for just now...and get rid of the files for the two.

    You can also open the Control Panel then Internet Options, and Delete Files, put a check into "Delete all offline content" and OK that.

    Restart, it will go back to normal mode Windows, run a scan with SpyBot, checking for updates first, let it remove all it finds in RED.
    Do a Full Scan with AdAware also.

    Restart again, and run Hijackthis, and post a new log please.

    An online scanner may help find some things:

    http://housecall.antivirus.com/housecall/start_corp.asp

    Be sure you use the AUTOCLEAN checkbox, and scan all your hard drives, you can de-select the CDROM and floppy drives, unless you also want to scan some disks.
     
  7. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    First please do this:

    Click on My Computer then go to View > Folder Options. Click on the "View" tab and make sure "Show all files" is ticked and uncheck "Hide file extensions for known file types". Click "Like Current Folder" then click "Apply" then "OK"

    Now navigate to the C:\Windows folder and copy the calc.exe file. Put that copy in a zipped folder. Attach a copy of that zipped folder and send it to me here. Put "Files from TSG" in the Subject line and include a link to this thread so I'll know where it came from.

    I know that is the default location for the legit calc.exe file in 9x machines, but I have noticed lately that several posts with this same baddie installed ie... the FARMMEXT.exe file have had calc.exe running. That leads me to believe that this one may indeed be using or overwriting that file.


    Click Here and download the the new version of Killbox and save it to your desktop.

    Copy these instructions to notepad and save them to your desktop. You will need them in safe mode to refer to. Now restart to safe mode.

    How to start your computer in safe mode

    Do all of the following in safe mode:

    Run Hijack This again and put a check by these and click the "Fix checked" button.

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

    O2 - BHO: IEHelperObj Class - {6754A456-BAD9-11D4-93D3-00B0D03A2F91} - (no file)

    O2 - BHO: IEWebGuard Class - {1B77D30A-81C9-497A-8647-142F7511B1FB} - (no file)

    O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\DLMAX.DLL

    O4 - HKLM\..\Run: [Pn3MyB] C:\ORMAGTPI.EXE

    O4 - HKLM\..\Run: [jav] C:\WINDOWS\jav.exe

    O4 - HKLM\..\Run: [hajiyh] c:\windows\system\hajiyh.exe

    O4 - HKLM\..\Run: [FARMMEXT] C:\WINDOWS\FARMMEXT.exe

    O4 - HKLM\..\Run: [ASDPLUGIN] C:\WINDOWS\SYSTEM\dsldbaccess.exe

    O4 - HKCU\..\Run: [Spyware Begone] C:\FREESCAN\FREESCAN.EXE -FastScan

    O16 - DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} - http://64.158.165.49/output/100039/...dsldbaccess.exe


    Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

    C:\ORMAGTPI.EXE

    C:\WINDOWS\jav.exe

    c:\windows\system\hajiyh.exe

    C:\WINDOWS\FARMMEXT.exe

    C:\WINDOWS\SYSTEM\dsldbaccess.exe


    Exit the Killbox.

    Find and delete this folder:

    C:\freescan

    Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


    Empty the Recycle Bin

    Boot back to Windows normally now.


    Go to C:\ and find the !Submit folder. Copy that folder and then put it in a zipped folder. No go to the link below and upload the !Submit.zip folder:

    http://www.thespykiller.co.uk/forum/index.php

    Just press new topic, fill in the needed details and give a link to your thread here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)
     
  8. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Those O16s were put there by Spybot Bill.
     
  9. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi flrman1- Thanks! I need to know how to tell them to remove the Restrictions, actually...

    I use SB, and have the protection all enabled, but don't have the Restrictions> is it part of TeaTimer?

    I don't see how to even get the Restrictions?? Help?

    And> sorry I thought you had given the go ahead, and didnt want any of these files sent in...
     
  10. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    No problem. The main reason I want the files is because I really believe there is a connection between calc.exe and this infection.

    Do you have the latest version of Spybot? If you open it in Advanced mode and click on "Tools" in the left column then "IE Tweaks" you see "Miscellaneous Locks". That's where those restrictions are placed.

    I gotta say though that now that I look again, I'm not sure that the toolbar restriction was put there by Spybot. I don't see that in my options. I don't even know if I have the latest version. I hardly ever use it any more.
     
  11. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi Mark-- Yes, I have the newest version 1.3, not a beta, and I just looked>

    Lock IE start page (current user)

    Lock IE Control Panel (Current user)

    Those lock items are shown in mine, unchecked. Just to confirm that they are where you said! Thanks.
     
  12. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    What about the Toolbar restriction?
     
  13. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, Nope, nothing for any toolbar!

    Isn't that available right in IE? "Lock the toolbar"?

    Uh, skip that...

    Must be the baddies set the restrictions...No sypwarblaster, or SpwareGuard on the system.

    Does Norton put control panel in, or how about the ISP?
     
  14. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    I honestly don't know what put it there. A google search for O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present shows it in a lot of logs.

    http://www.google.com/search?q=O6+-...r=&rls=GGLD,GGLD:2004-09,GGLD:en&start=0&sa=N

    Funny thing is that I don't remember ever seeing it before and that is strange considering the thousands of logs I look at both here and at other forums. I have no idea if you can place that restriction with Spybot or what did. I feel sure it's legit, but it really blows me away that I don't remember ever seeing it before or that I've never had access to info on what app places that restriction! :confused: I must be slipping! :eek:
     
  15. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Mark, It may be something Yahoo does these days, they do have a Toolbar and some added security things.

    http://www.geekstogo.com/forum/WExplorer_Prob-t6388.html

    That thread has the Toolbar restrictions showing, Mark.

    Not that they solved anything there, but maybe you can spot what loads the restrictions, I dont see what it may be.
     
  16. peachez

    peachez Thread Starter

    Joined:
    Mar 12, 2005
    Messages:
    9
    Hi Flrman1:) You have mail. I'm just gonna go do all the other stuff you said wot I don't understand, but I'll do it anyway.

    Thanks for your help this far...
     
  17. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/340206