1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

[SOLVED] HiJackThis Log, PLEASE HELP

Discussion in 'Virus & Other Malware Removal' started by rkenia, Jun 25, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. rkenia

    rkenia Thread Starter

    Joined:
    Jun 24, 2004
    Messages:
    5
    Logfile of HijackThis v1.97.7
    Scan saved at 11:17:00 PM, on 6/25/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\CBA\PDS.EXE
    C:\WINDOWS\SYSTEM\CBA\XFR.EXE
    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
    C:\WINDOWS\SYSTEM\MSGSYS.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\PCTVOICE.EXE
    C:\WINDOWS\SYSTEM\HPOOPM07.EXE
    C:\WINDOWS\SYSTEM\HIDSERV.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
    C:\WINDOWS\SYSTEM\ICSMGR.EXE
    C:\PROGRAM FILES\DRIVE ACE DELETE\AMENFOUR.EXE
    C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
    C:\PROGRAM FILES\AWORKS\SOLOTRAY.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET K SERIES\BIN\HPODEV07.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET K SERIES\FRU\REMIND32.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET K SERIES\BIN\HPOEVM07.EXE
    C:\WINDOWS\SYSTEM\HPOIPM07.EXE
    C:\WINDOWS\SYSTEM\HPOID407.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET K SERIES\BIN\HPOSTS07.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET K SERIES\BIN\HPOFXM07.EXE
    C:\WINDOWS\SYSTEM\WBGA.EXE
    C:\WINDOWS\SYSTEM\NXHP.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\TEMP\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ptd.net/
    R3 - Default URLSearchHook is missing
    N1 - Netscape 4: user_pref("browser.startup.homepage", "allaboutsearching.com"); (C:\Program Files\Netscape\Users\default\prefs.js)
    O1 - Hosts: 167.208.132.5 scr-ics-lnm1
    O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\PSTOPPER.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\PROGRAM FILES\SEP\SEP.DLL (file missing)
    O3 - Toolbar: daleidle - {92EDA8B1-D672-E94F-395B-71B19C45B808} - C:\PROGRAM FILES\ISO ELSE\THATCOMP.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
    O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
    O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\SYSTEM\hpoopm07.exe
    O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [ICSMGR] ICSMGR.EXE
    O4 - HKLM\..\Run: [4N43RQY3] C:\WINDOWS\TEMP\4N43RQY3.EXE
    O4 - HKLM\..\Run: [Uploaddraw] C:\PROGRA~1\DRIVEA~1\amenfour.exe
    O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\SYSTEM\DP-HIM.EXE
    O4 - HKLM\..\Run: [2ZYEP6H4AC95JQ] C:\WINDOWS\SYSTEM\Zqyg9f6.exe
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [AutoLoaderrsr71INTKLXP] "C:\WINDOWS\SYSTEM\HNDIEW32.EXE" /PC="AM.WILD" /HideUninstall
    O4 - HKLM\..\Run: [Ad-aware] "C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-AWARE.EXE" +c
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\stimon.exe
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [Intel PDS] C:\WINDOWS\system\cba\pds.exe
    O4 - HKLM\..\RunServices: [Intel File Transfer] C:\WINDOWS\system\cba\xfr.exe
    O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
    O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
    O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
    O4 - HKCU\..\Run: [MProcessor] "C:\Program Files\\MProcessor\MPROCESSOR.EXE"
    O4 - HKCU\..\Run: [aornRWc7R] PUR180.EXE
    O4 - HKCU\..\RunServices: [Reflection TimeSync] C:\Program Files\Reflection\rtsserv.exe
    O4 - Startup: Mixer Taskbar Icon.lnk = C:\Program Files\AWORKS\solotray.exe
    O4 - Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet K Series\bin\hpodev07.exe
    O4 - Startup: Hewlett-Packard Recorder.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet K Series\FRU\Remind32.exe
    O4 - Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBouncer.exe
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
    O9 - Extra button: Create Mobile Favorite (HKLM)
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
    O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
    O12 - Plugin for .SWF: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
    O16 - DPF: {94349FB6-37A0-4385-BADA-1B48DE3CA833} (ChrtCtl Class) - http://fdl.msn.com/public/investor/v9.5/investor.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37873.1390046296
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/99...W/win/061-0848.20031022.TtzS4/iTunesSetup.exe
    O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
     
  2. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    111,851
    Among other things, you have a peper.a infection.

    Download the PeperFix.exe tool from here:

    http://downloads.subratam.org/PeperFix.exe

    Click on the PeperFix.exe to launch it.

    Click the Find and Fix button.

    It will scan the %Systemroot% folder and locate all the peper files. You will be prompted to reboot. Reboot and it will delete the peper files.

    Please download and run the following programs:

    AD-AWARE

    Go here: http://www.lavasoftusa.com/support/download/
    and download Ad-Aware 6 Build 181

    Install the program and launch it.

    First in the main window look in the bottom right-hand corner and click on Check for updates now and download the latest reference files.

    Make sure the following settings are made and on -------ON=GREEN

    From main window: Click Start then Activate in-depth scan (recommended)

    Click Use custom scanning options then click Customize and have these options selected: Under Drives and Folders put a check by Scan within archives and below that under Memory and Registry put a check by all the options there.

    Now click on the Tweak button in that same window. Under Scanning engine select Unload recognized processes during scanning and under Cleaning Engine select Let windows remove files in use at next reboot

    Click proceed to save your settings.

    Now to scan just click the Next button.

    When the scan is finished mark everything for removal and get rid of it. (Right click the window and choose select all from the drop down menu and click Next)

    Restart your computer

    SPYBOT SEARCH & DESTROY

    http://majorgeeks.com/download2471.html

    Open Spybot Search & Destroy (Click Start, Programs, Spybot S&D (Advanced Mode). Click online, Search for updates, Download all available updates. Close all Browser windows, Click ''Check for Problems'', Put a check in every entry Spybot Search & Destroy flags with a red exclamation mark and click ''Fix Selected Problems'' , Then restart your computer.

    Then, after rebooting, please post another log and we’ll see what’s left to get rid of.
     
  3. rkenia

    rkenia Thread Starter

    Joined:
    Jun 24, 2004
    Messages:
    5
    So far no pop-ups happening. I appreciate your help. Below is the latest log. Please let me know if there is anything else to remove.




    Logfile of HijackThis v1.97.7
    Scan saved at 9:03:46 PM, on 6/27/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\CBA\PDS.EXE
    C:\WINDOWS\SYSTEM\CBA\XFR.EXE
    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
    C:\WINDOWS\SYSTEM\MSGSYS.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\PCTVOICE.EXE
    C:\WINDOWS\SYSTEM\HPOOPM07.EXE
    C:\WINDOWS\SYSTEM\HIDSERV.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
    C:\WINDOWS\SYSTEM\ICSMGR.EXE
    C:\PROGRAM FILES\DRIVE ACE DELETE\AMENFOUR.EXE
    C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\AWORKS\SOLOTRAY.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET K SERIES\BIN\HPODEV07.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET K SERIES\FRU\REMIND32.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET K SERIES\BIN\HPOEVM07.EXE
    C:\WINDOWS\SYSTEM\HPOIPM07.EXE
    C:\WINDOWS\SYSTEM\HPOID407.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET K SERIES\BIN\HPOSTS07.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET K SERIES\BIN\HPOFXM07.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://allaboutsearching.com/passthrough/index.html?http://www.msn.com/
    R3 - Default URLSearchHook is missing
    N1 - Netscape 4: user_pref("browser.startup.homepage", "allaboutsearching.com"); (C:\Program Files\Netscape\Users\default\prefs.js)
    O1 - Hosts: 167.208.132.5 scr-ics-lnm1
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\PSTOPPER.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\PROGRAM FILES\SEP\SEP.DLL (file missing)
    O3 - Toolbar: daleidle - {92EDA8B1-D672-E94F-395B-71B19C45B808} - C:\PROGRAM FILES\ISO ELSE\THATCOMP.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
    O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
    O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\SYSTEM\hpoopm07.exe
    O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [ICSMGR] ICSMGR.EXE
    O4 - HKLM\..\Run: [4N43RQY3] C:\WINDOWS\TEMP\4N43RQY3.EXE
    O4 - HKLM\..\Run: [Uploaddraw] C:\PROGRA~1\DRIVEA~1\amenfour.exe
    O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\SYSTEM\DP-HIM.EXE
    O4 - HKLM\..\Run: [2ZYEP6H4AC95JQ] C:\WINDOWS\SYSTEM\IpuFmd.exe
    O4 - HKLM\..\Run: [AutoLoaderrsr71INTKLXP] "C:\WINDOWS\SYSTEM\HNDIEW32.EXE" /PC="AM.WILD" /HideUninstall
    O4 - HKLM\..\Run: [Ad-aware] "C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-AWARE.EXE" +c
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\stimon.exe
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [Intel PDS] C:\WINDOWS\system\cba\pds.exe
    O4 - HKLM\..\RunServices: [Intel File Transfer] C:\WINDOWS\system\cba\xfr.exe
    O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
    O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
    O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
    O4 - HKCU\..\Run: [MProcessor] "C:\Program Files\\MProcessor\MPROCESSOR.EXE"
    O4 - HKCU\..\Run: [aornRWc7R] PUR180.EXE
    O4 - HKCU\..\RunServices: [Reflection TimeSync] C:\Program Files\Reflection\rtsserv.exe
    O4 - Startup: Mixer Taskbar Icon.lnk = C:\Program Files\AWORKS\solotray.exe
    O4 - Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet K Series\bin\hpodev07.exe
    O4 - Startup: Hewlett-Packard Recorder.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet K Series\FRU\Remind32.exe
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
    O9 - Extra button: Create Mobile Favorite (HKLM)
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
    O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
    O12 - Plugin for .SWF: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
    O16 - DPF: {94349FB6-37A0-4385-BADA-1B48DE3CA833} (ChrtCtl Class) - http://fdl.msn.com/public/investor/v9.5/investor.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37873.1390046296
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/99...W/win/061-0848.20031022.TtzS4/iTunesSetup.exe
    O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
     
  4. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    111,851
    Before you proceed with those instructions, please move Hijack This into its own folder in program files or my documents but not in the temporary files or on the desktop, so it can create proper back-ups and restore them if necessary.

    Turn off system restore. On the desktop, right-click on My Computer, click properties, click system restore tab, check turn off system restore, click apply and then OK. Restart your computer. Once your system is clean you will turn it back on and create a new restore point.

    Rescan with Hijack This, close all browser windows except Hijack This, put a check mark beside these entries and click “fix checked”.

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://allaboutsearching.com/passth...://www.msn.com/

    R3 - Default URLSearchHook is missing

    N1 - Netscape 4: user_pref("browser.startup.homepage", "allaboutsearching.com"); (C:\Program Files\Netscape\Users\default\prefs.js)

    O1 - Hosts: 167.208.132.5 scr-ics-lnm1

    O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\PROGRAM FILES\SEP\SEP.DLL (file missing)

    O3 - Toolbar: daleidle - {92EDA8B1-D672-E94F-395B-71B19C45B808} - C:\PROGRAM FILES\ISO ELSE\THATCOMP.DLL

    O4 - HKLM\..\Run: [4N43RQY3] C:\WINDOWS\TEMP\4N43RQY3.EXE

    O4 - HKLM\..\Run: [Uploaddraw] C:\PROGRA~1\DRIVEA~1\amenfour.exe

    O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\SYSTEM\DP-HIM.EXE

    O4 - HKLM\..\Run: [2ZYEP6H4AC95JQ] C:\WINDOWS\SYSTEM\IpuFmd.exe

    O4 - HKLM\..\Run: [AutoLoaderrsr71INTKLXP] "C:\WINDOWS\SYSTEM\HNDIEW32.EXE" /PC="AM.WILD" /HideUninstall

    O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

    O4 - HKCU\..\Run: [aornRWc7R] PUR180.EXE


    Then boot to safe mode (see how below), locate and delete these files and/or folders:

    C:\WINDOWS\TEMP\ - folder
    DRIVEA~1\amenfour.exe - folder (it will start with these six letters)
    DP-HIM.EXE - file
    IpuFmd.exe - file
    HNDIEW32.EXE - file
    WinTools - folder
    PUR180.EXE - file

    How to restart to safe mode:
    http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam

    Because XP will not always show you hidden files and folders by default, Go to Start - Search and under "More advanced search options". Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

    Next click on My Computer. Go to Tools - Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types". Now click "Apply to all folders"
    Click "Apply" then "OK"

    Then reboot and post another log please.
     
  5. rkenia

    rkenia Thread Starter

    Joined:
    Jun 24, 2004
    Messages:
    5
    I'm running Windows Me. I could not find the following:
    DP-HIM.EXE
    HNDIEW32.EXE
    WinTools
    PUR180.EXE

    Here is my current log.

    Logfile of HijackThis v1.97.7
    Scan saved at 7:18:24 PM, on 6/28/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SYSTEM\CBA\PDS.EXE
    C:\WINDOWS\SYSTEM\CBA\XFR.EXE
    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
    C:\WINDOWS\SYSTEM\MSGSYS.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\PCTVOICE.EXE
    C:\WINDOWS\SYSTEM\HPOOPM07.EXE
    C:\WINDOWS\SYSTEM\HIDSERV.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
    C:\WINDOWS\SYSTEM\ICSMGR.EXE
    C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
    C:\PROGRAM FILES\AWORKS\SOLOTRAY.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET K SERIES\BIN\HPODEV07.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET K SERIES\FRU\REMIND32.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET K SERIES\BIN\HPOEVM07.EXE
    C:\WINDOWS\SYSTEM\HPOIPM07.EXE
    C:\WINDOWS\SYSTEM\HPOID407.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET K SERIES\BIN\HPOSTS07.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET K SERIES\BIN\HPOFXM07.EXE
    C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ptd.net/
    N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Program Files\Netscape\Users\default\prefs.js)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\PSTOPPER.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
    O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
    O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\SYSTEM\hpoopm07.exe
    O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [ICSMGR] ICSMGR.EXE
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\stimon.exe
    O4 - HKLM\..\RunServices: [Intel PDS] C:\WINDOWS\system\cba\pds.exe
    O4 - HKLM\..\RunServices: [Intel File Transfer] C:\WINDOWS\system\cba\xfr.exe
    O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
    O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
    O4 - HKCU\..\Run: [MProcessor] "C:\Program Files\\MProcessor\MPROCESSOR.EXE"
    O4 - HKCU\..\RunServices: [Reflection TimeSync] C:\Program Files\Reflection\rtsserv.exe
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Startup: Billminder.lnk = C:\QUICKENW\billmind.exe
    O4 - Startup: Mixer Taskbar Icon.lnk = C:\Program Files\AWORKS\solotray.exe
    O4 - Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet K Series\bin\hpodev07.exe
    O4 - Startup: Hewlett-Packard Recorder.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet K Series\FRU\Remind32.exe
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
    O9 - Extra button: Create Mobile Favorite (HKLM)
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
    O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
    O12 - Plugin for .SWF: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
    O16 - DPF: {94349FB6-37A0-4385-BADA-1B48DE3CA833} (ChrtCtl Class) - http://fdl.msn.com/public/investor/v9.5/investor.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37873.1390046296
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/99...W/win/061-0848.20031022.TtzS4/iTunesSetup.exe
    O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
     
  6. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    111,851
    Sorry. I forgot to alter my post from XP to ME. Did you know how to unhide the files anyway? If not let me know and I'll post the instructions and then you can go back and look for those files.

    The log looks good to me. How's everything running?
     
  7. rkenia

    rkenia Thread Starter

    Joined:
    Jun 24, 2004
    Messages:
    5
    I went into Search, Tools, Folder Options, View and then clicked the Hide protected operating system files off. Should I click the system restore back on? Everything is running great! How do I keep this from happening again?

    Thanks so much for all your help.....
     
  8. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    111,851
  9. rkenia

    rkenia Thread Starter

    Joined:
    Jun 24, 2004
    Messages:
    5
    Cookie,

    Thanks again for all your help. I downloaded the software you mentioned and printed the security information. Have a great 4th of July!!!!! :D
     
  10. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    111,851
    You're welcome! (y)
     
  11. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - [SOLVED] HiJackThis PLEASE
  1. hfrei
    Replies:
    1
    Views:
    430
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/243233

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice