Post by: zer0nix on October 03, 2004, 03:36:17 PM
i am running windows 98 on a 450mhz pentium 3 with 384mb ram... here's what i get when i run hijack this 1.98:
Logfile of HijackThis v1.98.2
Scan saved at 1:24:07 PM, on 10/3/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\DISKEEPER\DKSERVICE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\ESET\NOD32KRN.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\ESET\NOD32KUI.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\OPERA7.23\OPERA.EXE
D:\TEMP\AKIRA(ALL COLOR-INCLUDE ARTBOOK)\NEW FOLDER (2)\NEW FOLDER (4)\HIJACK THIS 1.98\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com (http://\"http://www.yahoo.com\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com (http://\"http://www.yahoo.com\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
R3 - Default URLSearchHook is missing
N1 - Netscape 4: user_pref("browser.startup.homepage", ""); (C:\Program Files\Netscape\Users\User1\prefs.js)
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - D:\PROGRAM FILES\FLASHGET\JCCATCH.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.1\SDHELPER.DLL
O2 - BHO: (no name) - {AC73AB16-BFB2-11CA-FBAE-CA9E1863C3EF} - (no file)
O2 - BHO: (no name) - {CBB0A6A0-8430-11D4-814D-0050047090B1} - (no file)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {2B8D0655-E928-6AD0-AA66-54783D97577A} - C:\WINDOWS\SYSTEM\LNNKVH.DLL (file missing)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_5_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRAM FILES\FLASHGET\FGIEBAR.DLL
O3 - Toolbar: Nocs Bar - {8E1E80F3-A3F0-41d4-BAA7-470442CFC906} - C:\PROGRAM FILES\INTERNET EXPLORER\PLUGINS\NOCS.DLL
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_5_0.DLL
O4 - HKLM\..\Run: [CloneCDTray] "D:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,CMNUpdateOnBoot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\RunServices: [DkService] C:\Program Files\Diskeeper\DkService.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [NOD32kernel] "C:\Program Files\Eset\nod32krn.exe"
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe
O4 - Startup: Encoder Agent.lnk.disabled
O4 - Startup: ScanPanel.lnk.disabled
O4 - Startup: Kodak EasyShare software.lnk.disabled
O4 - Startup: Office Startup.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download using FlashGet - D:\PROGRAM FILES\FLASHGET\jc_link.htm
O8 - Extra context menu item: Download All by FlashGet - D:\PROGRAM FILES\FLASHGET\jc_all.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\AIM.EXE
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRAM FILES\FLASHGET\FLASHGET.EXE
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRAM FILES\FLASHGET\FLASHGET.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: Nocs Bar - {9F772CA3-F464-4654-9073-C18749E197E4} - C:\PROGRAM FILES\INTERNET EXPLORER\PLUGINS\NOCS.DLL
O9 - Extra 'Tools' menuitem: Nocs Bar - {9F772CA3-F464-4654-9073-C18749E197E4} - C:\PROGRAM FILES\INTERNET EXPLORER\PLUGINS\NOCS.DLL
O12 - Plugin for .avi: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npavi32.dll
O12 - Plugin for .cgi: C:\PROGRA~1\INTERN~1\PLUGINS\NPZip-IT.dll
O12 - Plugin for .viv: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npviv32.dll
O12 - Plugin for .asx: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npdsplay.dll
O12 - Plugin for .rar: C:\PROGRA~1\INTERN~1\PLUGINS\NPZip-IT.dll
O12 - Plugin for .pk3: C:\PROGRA~1\INTERN~1\PLUGINS\NPZip-IT.dll
O16 - DPF: {8D37126F-C08C-11D4-A248-005056BF3741} - http://dist02.chargitdial.com/chargitplug.dll (http://\"http://dist02.chargitdial.com/chargitplug.dll\")
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exe (http://\"http://a1540.g.akamai.net/7/1540/52/20020323/qtinstall.info.apple.com/qt505/us/win/QuickTimeInstaller.exe\")
O16 - DPF: {7D699C5B-FA08-11D0-BC8E-0020AFFA71B6} (Atomic3D Control) - http://www.atomic3d.com/download/bin/a3dx1456.cab (http://\"http://www.atomic3d.com/download/bin/a3dx1456.cab\")
O16 - DPF: {9E7138EE-4E7B-11D5-94EF-006008A4ED7F} - http://www.sex-jp.net/if02/oth/DialX16.CAB (http://\"http://www.sex-jp.net/if02/oth/DialX16.CAB\")
O16 - DPF: {D22AC3EF-B7D8-11D5-A281-005056BF0101} - http://dist02.chargitdial.com/chargitplug.dll (http://\"http://dist02.chargitdial.com/chargitplug.dll\")
O16 - DPF: {130AC32C-DE0D-43EF-AD82-2599E9F95153} (XEng001.XEng001Ctl) - http://www.uranus.dti.ne.jp/~picpic/001/XEng001.CAB (http://\"http://www.uranus.dti.ne.jp/~picpic/001/XEng001.CAB\")
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB (http://\"http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB\")
O16 - DPF: {9771C160-AD19-11D5-91BE-0048546CB511} - http://216.176.203.29/data/program3/download.exe (http://\"http://216.176.203.29/data/program3/download.exe\")
O16 - DPF: {CF7DAC31-D63B-11D2-837B-00A0C95AB0A4} (EVA Active Control) - http://www.sharp.co.jp/sc/excite/evademo/acxeva.cab (http://\"http://www.sharp.co.jp/sc/excite/evademo/acxeva.cab\")
O16 - DPF: {6D5FCFCB-FA6C-4CFB-9918-5F0A9F7365F2} - http://www.gigex.com/tv/igor/gigexagent.dll (http://\"http://www.gigex.com/tv/igor/gigexagent.dll\")
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://nprotect1.gravity.co.kr/nprotect/npx.cab (http://\"http://nprotect1.gravity.co.kr/nprotect/npx.cab\")
O16 - DPF: {FEC3E5A3-50F7-4B0C-97D8-01CF69DFBFC7} (Measurement Service Client) - http://ccon.madonion.com/global/msc.cab (http://\"http://ccon.madonion.com/global/msc.cab\")
O16 - DPF: {8C6C6922-6258-44AC-9912-53964AC55272} (xload Class) - http://217.160.140.67/download/xloader8.cab (http://\"http://217.160.140.67/download/xloader8.cab\")
O16 - DPF: {8C6C6922-6258-44AC-9912-53964AC55275} (xload Class) - http://217.160.140.67/download/xloader9.cab (http://\"http://217.160.140.67/download/xloader9.cab\")
O16 - DPF: {5DB05CB8-7751-469D-A1DD-45C8C201C013} (Blender 3D Plug-in Active X Control) - http://download.blender.org/release/plugin...der3DPlugin.cab (http://\"http://download.blender.org/release/plugin/Blender3DPlugin.cab\")
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab (http://\"http://chat.yahoo.com/cab/yvwrctl.cab\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab\")
O16 - DPF: {9B376BB3-73E3-11D2-8CD6-00A0C9A0F04D} (FontLapper Class) - http://www.incrementp.co.jp/pc/dynatypo/ac...vex/webfont.ocx (http://\"http://www.incrementp.co.jp/pc/dynatypo/activex/webfont.ocx\")
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab (http://\"https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab\")
O16 - DPF: {0D4B9606-1FEF-43B0-B76E-43150B060AEB} (JPEG2000 Decoder ActiveX) - file://C:\Program Files\Algo Vision LuraTech\Algo Vision LuraTech ActiveX Controls Setup\jp2x.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab (http://\"http://www.ipix.com/download/ipixx.cab\")
O16 - DPF: {20359788-0CE3-4AEC-BA27-2B36B4E2E301} - https://www.opinionsquare.com/globalconfig/...ngc_activex.cab (http://\"https://www.opinionsquare.com/globalconfig/ngc_activex.cab\")
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} (Cubis Control) - http://mirror.worldwinner.com/games/v55/cu...cubis/cubis.cab (http://\"http://mirror.worldwinner.com/games/v55/cubis/cubis.cab\")
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab (http://\"http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab\")
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (http://\"http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab\")
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://www.otxresearch.com/OTXMedia/OTXMedia.dll (http://\"http://www.otxresearch.com/OTXMedia/OTXMedia.dll\")
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPD...DC_1_0_0_44.cab (http://\"http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab\")
O19 - User stylesheet: (file missing)
someone, please help?
/sad.gif\' class=\'bbc_emoticon\' alt=\':(\' /> rebooting does not solve the problem and the slowness is something extreme... i thank y'all for your time...
Post by: Guest on October 03, 2004, 03:52:49 PM
i should mention also that looking over nod32's virus log i noted these entries:
Time Module Object Name Virus Action User Info
10/3/04 8:24:23 AM AMON file C:\WINDOWS\TEMP\AAWTMP\C140567\2E4D7\sbRecovery.reg Reg/StartPage trojan error while deleting - error quarantining the object - - error while deleting
10/3/04 7:27:35 AM AMON file C:\WINDOWS\TEMP\AAWTMP\C679756\2ECA5F\sbRecovery.reg Reg/StartPage trojan error while deleting - error while renaming - error quarantining the object - - error while deleting
Time Module Object Name Virus Action User Info
9/19/04 8:19:27 AM AMON file C:\WINDOWS\Temporary Internet Files\Content.IE5\K1QJGH23\http[1].hta VBS/StartPage.J trojan error while deleting - error while deleting - error while renaming - error quarantining the object - - error while deleting
PS: is there a way for me to block everything from one address (http:\\, not ip) from ever uploading content to or otherwise accessing my pc? i see a whole lot of these:
Time Module Object Name Virus Action User Info
10/3/04 4:29:09 AM IMON file http://www.businesschannelnews.com/page/http.asp (http://\"http://www.businesschannelnews.com/page/http.asp\") VBS/StartPage.J trojan connection terminated
-and would just like to block that page from my pc so it can never be accessed...
many thanks again!
Post by: guestolo on October 03, 2004, 05:48:08 PM
I'll assume that you installed the NOC's toolbar on purpose, so we'll leave that entry alone
Download this small utility to your desktop, this will help you delete the contents of the Temp folders
Internet Sweeper (http://\"http://www.bmesite.com/isfw.exe\")
Double click to Install, we'll run this later
Do another Scan with Hijackthis and put a check next to these entries
and then FIX CHECKED when ALL other windows are closed, including this one
O2 - BHO: (no name) - {AC73AB16-BFB2-11CA-FBAE-CA9E1863C3EF} - (no file)
O2 - BHO: (no name) - {CBB0A6A0-8430-11D4-814D-0050047090B1} - (no file)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {2B8D0655-E928-6AD0-AA66-54783D97577A} - C:\WINDOWS\SYSTEM\LNNKVH.DLL (file missing)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
The above 2 may of been set by Spybot of Spysweeper, you can fix them
O16 - DPF: {9E7138EE-4E7B-11D5-94EF-006008A4ED7F} - http://www.sex-jp.net/if02/oth/DialX16.CAB (http://\"http://www.sex-jp.net/if02/oth/DialX16.CAB\")
O16 - DPF: {D22AC3EF-B7D8-11D5-A281-005056BF0101} - http://dist02.chargitdial.com/chargitplug.dll (http://\"http://dist02.chargitdial.com/chargitplug.dll\")
O16 - DPF: {130AC32C-DE0D-43EF-AD82-2599E9F95153} (XEng001.XEng001Ctl) - http://www.uranus.dti.ne.jp/~picpic/001/XEng001.CAB (http://\"http://www.uranus.dti.ne.jp/~picpic/001/XEng001.CAB\")
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://nprotect1.gravity.co.kr/nprotect/npx.cab (http://\"http://nprotect1.gravity.co.kr/nprotect/npx.cab\")
O16 - DPF: {8C6C6922-6258-44AC-9912-53964AC55272} (xload Class) - http://217.160.140.67/download/xloader8.cab (http://\"http://217.160.140.67/download/xloader8.cab\")
O16 - DPF: {8C6C6922-6258-44AC-9912-53964AC55275} (xload Class) - http://217.160.140.67/download/xloader9.cab (http://\"http://217.160.140.67/download/xloader9.cab\")
Open Internet Sweeper and check only these options for now
Under Microsoft Windows 98
Check>>>>Recent Documents==Recycle Bin===Temp Directory
Under Internet Explore 6
Check>>>>Cache==Cookies===History===Addresses
Under Internet Sweeper 1.8.4
Check>>>Delete Files that are in use when Windows Restarts
After you have just the above checked Click on the SWEEP button>>>Continue
Let it do it's job
RESTART your computer to Finish cleaning
After Restart
You should download the 2 utilities, they don't run in the background
They just silently help to protect your privacy---Take a look
SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==IE Spyad Tutorial (http://\"http://www.bleepingcomputer.com/forums/index.php?showtutorial=53\")
Download link==IE-Spyad download link (http://\"https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD\")
Scroll down and click on IE-SPYAD.EXE Free!
Post back with a Fresh hijackthis log afterwards and let me know how things are going
Post by: guestolo on October 03, 2004, 05:52:16 PM
You can try their utility from their website and follow the instruction outlined
Norton 2004 Uninstallation (http://\"http://service1.symantec.com/SUPPORT/nav.nsf/docid/2004020915570606?Open&src=sg&docid=2003080311011006&nsf=nav.nsf&view=d4578f66d8f00a0188256d4e006aaa94/7acf65b345b0449f88256d7700623839?opendocument&prod=norton%20antivirus&ver=2004%20for%20windows%202000/me/98&dtype=&prod=Norton%20AntiVirus&ver=2004%20for%20Windows%202000/Me/98/XP&osv=&osv_lvl=\")