« previous next »
Pages: [1]

Author Topic: Hijackthis log. what is safe to delete  (Read 1327 times)

Offline DrWu

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Hijackthis log. what is safe to delete
« on: September 11, 2004, 05:50:41 AM »
Hi folks

I am one of the many thousands of poor shmucks out there currently having a coolsearch related nervous breakdown.

The thing keeps reinstalling itself despite CWShredder and the latest adaware.

Having followed the advice on this forum I downloaded hijackthis but wondered if anyone would be goood enough to examine my log and tell me what I need to delete?

Here it is, thanks!

Logfile of HijackThis v1.98.2
Scan saved at 11:44:23, on 18/02/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL 4\KPF4SS.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL 4\KPF4GUI.EXE
C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\E_S10IC2.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\BT VOYAGER 105 ADSL MODEM\DSLSTAT.EXE
C:\PROGRAM FILES\BT VOYAGER 105 ADSL MODEM\DSLAGENT.EXE
C:\WINDOWS\SYSTEM\HOST32.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\AIM.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\GETRIGHT\GETRIGHT.EXE
C:\PROGRAM FILES\SAMSUNG\DIGIMAX VIEWER 2.0\STIMGBROWSER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\BT BROADBAND\HELP\BIN\MPBTN.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,Default_Search_URL = http://0-OL1OIZ-XOLXII1-OXLI10OZL1L1-O-L-1...2/ogsearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\habvs.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\habvs.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.Email Removed/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\habvs.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\habvs.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\habvs.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\habvs.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\habvs.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/ymsgr/defaul...//www.yahoo.com
R3 - Default URLSearchHook is missing
F1 - win.ini: run=C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - (no file)
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_0_2_6.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [Multimedia Keyboard] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Onscreen Display] C:\Program Files\Netropa\Onscreen Display\OSD.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [AttuneClientEngine] C:\PROGRA~1\AVEO\ATTUNE\bin\AttnEngn.exe
O4 - HKLM\..\Run: [AttuneSysTrayNotifier] C:\PROGRAM FILES\AVEO\ATTUNE\BIN\ATTNNOST.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus C44 Series] C:\WINDOWS\SYSTEM\E_S10IC2.EXE /P23 "EPSON Stylus C44 Series" /O7 "EPUSB1:" /M "Stylus C44"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [9eck] C:\WINDOWS\TEMP\9ECK.EXE
O4 - HKLM\..\Run: [WinInit] Win86.exe
O4 - HKLM\..\Run: [WinLogin] win32x.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\SYSTEM\host32.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [KPF4] c:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O4 - HKLM\..\RunServices: [CRZT32.EXE] C:\WINDOWS\SYSTEM\CRZT32.EXE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [NETZIP SMARTDOWNLOADER] C:\WINDOWS\SYSTEM\npnzdad.exe /t
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
O4 - Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Digimax Viewer 2.0.lnk = C:\Program Files\Samsung\Digimax Viewer 2.0\STImgBrowser.exe
O4 - Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0819.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0819.DLL
O9 - Extra button: downloadsoftware - {C8950078-94A4-4C32-BB9C-4666357965AF} - C:\download10\index.htm (file missing)
O9 - Extra button: Antivirus - {4358161B-A4B8-498E-8019-3DAB50DFD578} - http://www.accesoplugin.com/prom/a_virus2/...d10&ver=4&t=new (file missing)
O9 - Extra button: Bromas y chistes - {068C36CF-483E-4CA8-A7F2-10EFFDA49C45} - http://www.accesoplugin.com/prom/a_bromas2...d10&ver=4&t=new (file missing)
O12 - Plugin for .avi: C:\Program Files\Netscape\Communicator\Program\PLUGINS\NPAVI32.DLL
O12 - Plugin for .ivr: C:\PROGRA~1\INTERN~1\PLUGINS\NPRVRT32.dll
O15 - Trusted Zone: http://register-tesco.qa.business.ntl.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.scoobidoo.com
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/...ymmapi_0727.dll
O16 - DPF: {02466323-75ED-11CF-A267-0020AF2546EA} (VivoActive Control) - http://player.vivo.com/ie/vvweb.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/26bd83c04460bb613d06/...ip/RdxIE601.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...ireShowdown.cab
O16 - DPF: {2CFB52FD-7CF2-479C-BF65-B27F8A834F31} (SecureSession Class) - http://www.samsungtechwin.com/include/pki/...SecuiTechIE.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.sc-server1.bt.com/broadband/Mot...tivePreQual.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...de72640af5cb44d
O16 - DPF: {2C0F2AEA-3A9B-46DB-A7BE-80FF329E415D} (PremiumInternacional Class) - http://www.accesoplugin.com/dialercab/PPre...ternacional.cab

Thanks again
Steve.
Logged

guestolo

  • Guest
Hijackthis log. what is safe to delete
« Reply #1 on: September 11, 2004, 11:52:59 AM »
Set Windows to Show Hidden Files and Folders

Create a New folder on your desktop, call it Aboutbuster
Download to desktop About:Buster
by RubbeR Ducky
Unzip it to that new folder===Run this later

RESTART your computer in SAFE MODE

Find and delete these files or folders

C:\WINDOWS\SYSTEM\HOST32.EXE
c:\installer\id53.exe
C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
C:\WINDOWS\SYSTEM\CRZT32.EXE
Win86.exe
win32x.exe
internat.dll <--don't confuse it with internat.exe

C:\Program Files\Common files\updmgr <--this folder


Stay in Safe mode and do another scan with hijackthis
Put a check next to these entries and then FIX CHECKED

R1 - HKCU\Software\Microsoft\Internet Explorer,Default_Search_URL = http://0-OL1OIZ-XOLXII1-OXLI10OZL1L1-O-L-1...2/ogsearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\habvs.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\habvs.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.Email Removed/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\habvs.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\habvs.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\habvs.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\habvs.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\habvs.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =

R3 - Default URLSearchHook is missing
F1 - win.ini: run=C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - (no file)
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)

O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [9eck] C:\WINDOWS\TEMP\9ECK.EXE
O4 - HKLM\..\Run: [WinInit] Win86.exe
O4 - HKLM\..\Run: [WinLogin] win32x.exe

O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\SYSTEM\host32.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: downloadsoftware - {C8950078-94A4-4C32-BB9C-4666357965AF} - C:\download10\index.htm (file missing)
O9 - Extra button: Antivirus - {4358161B-A4B8-498E-8019-3DAB50DFD578} - http://www.accesoplugin.com/prom/a_virus2/...d10&ver=4&t=new (file missing)
O9 - Extra button: Bromas y chistes - {068C36CF-483E-4CA8-A7F2-10EFFDA49C45} - http://www.accesoplugin.com/prom/a_bromas2...d10&ver=4&t=new (file missing)

O15 - Trusted Zone: http://register-tesco.qa.business.ntl.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.scoobidoo.com

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/26bd83c04460bb613d06/...ip/RdxIE601.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...de72640af5cb44d
O16 - DPF: {2C0F2AEA-3A9B-46DB-A7BE-80FF329E415D} (PremiumInternacional Class) - http://www.accesoplugin.com/dialercab/PPre...ternacional.cab

I would fix these next ones too, Not immeditate threats, but they are NOT needed on startup, using up valuable resources

O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

After you have fixed the above, close down hijackthis
Open About:buster and hit ok.   Now for the scanning part. Hit Start and then Ok. The program should start scanning.Scan a Second time. Then hit exit

Restart your computer back into Normal mode
Do an updated scan with Ad-Aware SE Personal 1.04 (This is the latest)
Check for updates
Do a Full System Scan and remove all critical objects
Restart your computer to finish the cleaning process  

Post back with a Fresh hijackthis log
Logged

Offline DrWu

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Hijackthis log. what is safe to delete
« Reply #2 on: September 12, 2004, 06:46:49 AM »
Thanks for that  guestolo. For someone to take the time to help out like that is just fantastic!

Couldn't find any of the .exe files you asked me to find and remove but I had run various bits of anti trojan/spyware software before I ran the hijack this scan again so maybe they got them.

Did everything you asked else plus CWSHREDDER plus the Lavasoft Trojan destroyer.

Here's the new  HiJacKThis log. (everything seems okay so far....!)

Logfile of HijackThis v1.98.2
Scan saved at 12:41:30, on 19/02/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL 4\KPF4SS.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL 4\KPF4GUI.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\SYSTEM\E_S10IC2.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\BT VOYAGER 105 ADSL MODEM\DSLSTAT.EXE
C:\PROGRAM FILES\BT VOYAGER 105 ADSL MODEM\DSLAGENT.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.0\THGUARD.EXE
C:\WINDOWS\SYSTEM\HOST32.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\AIM.EXE
C:\PROGRAM FILES\GETRIGHT\GETRIGHT.EXE
C:\PROGRAM FILES\SAMSUNG\DIGIMAX VIEWER 2.0\STIMGBROWSER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\BT BROADBAND\HELP\BIN\MPBTN.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.Email Removed/
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - (no file)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_0_2_6.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [Multimedia Keyboard] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Onscreen Display] C:\Program Files\Netropa\Onscreen Display\OSD.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [AttuneClientEngine] C:\PROGRA~1\AVEO\ATTUNE\bin\AttnEngn.exe
O4 - HKLM\..\Run: [AttuneSysTrayNotifier] C:\PROGRAM FILES\AVEO\ATTUNE\BIN\ATTNNOST.EXE
O4 - HKLM\..\Run: [EPSON Stylus C44 Series] C:\WINDOWS\SYSTEM\E_S10IC2.EXE /P23 "EPSON Stylus C44 Series" /O7 "EPUSB1:" /M "Stylus C44"
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.0\THGUARD.EXE"
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\SYSTEM\host32.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [KPF4] c:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O4 - HKLM\..\RunServices: [CRZT32.EXE] C:\WINDOWS\SYSTEM\CRZT32.EXE
O4 - HKLM\..\RunServices: [MFCNA.EXE] C:\WINDOWS\MFCNA.EXE
O4 - HKLM\..\RunServices: [CRKJ32.EXE] C:\WINDOWS\CRKJ32.EXE
O4 - HKLM\..\RunServices: [APIDE.EXE] C:\WINDOWS\SYSTEM\APIDE.EXE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [NETZIP SMARTDOWNLOADER] C:\WINDOWS\SYSTEM\npnzdad.exe /t
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\aim.exe -cnetwait.odl
O4 - Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Startup: Digimax Viewer 2.0.lnk = C:\Program Files\Samsung\Digimax Viewer 2.0\STImgBrowser.exe
O4 - Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0819.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0819.DLL
O9 - Extra button: downloadsoftware - {C8950078-94A4-4C32-BB9C-4666357965AF} - C:\download10\index.htm (file missing)
O12 - Plugin for .avi: C:\Program Files\Netscape\Communicator\Program\PLUGINS\NPAVI32.DLL
O12 - Plugin for .ivr: C:\PROGRA~1\INTERN~1\PLUGINS\NPRVRT32.dll
O15 - Trusted Zone: http://register-tesco.qa.business.ntl.com
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/...ymmapi_0727.dll
O16 - DPF: {02466323-75ED-11CF-A267-0020AF2546EA} (VivoActive Control) - http://player.vivo.com/ie/vvweb.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...ireShowdown.cab
O16 - DPF: {2CFB52FD-7CF2-479C-BF65-B27F8A834F31} (SecureSession Class) - http://www.samsungtechwin.com/include/pki/...SecuiTechIE.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.sc-server1.bt.com/broadband/Mot...tivePreQual.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -


Thanks again
Steve
Logged

Offline DrWu

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Hijackthis log. what is safe to delete
« Reply #3 on: September 12, 2004, 08:17:08 AM »
Thought I was okay but spoke too soon http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/mad.gif\' class=\'bbc_emoticon\' alt=\':angry:\' />

I still get a window appearing saying "preparing plug in" it very quickly installs and then when I check my desktop there's a shortcut to a sex site!


aarrrgghhhh!!!
Logged

Guest

  • Guest
Hijackthis log. what is safe to delete
« Reply #4 on: September 12, 2004, 11:27:17 AM »
Open Hijackthis>>>>>Config>>>>Misc Tools>>>>DELETE A FILE ON REBOOT
Navigate to the files---Right click on them and Select them
Do this for each one of these files-----Don't Restart your computer yet
Carry on with whatever you can find

C:\WINDOWS\SYSTEM\CRZT32.EXE <--this file
C:\WINDOWS\MFCNA.EXE <--file
C:\WINDOWS\CRKJ32.EXE <--file
C:\WINDOWS\SYSTEM\APIDE.EXE <--file

C:\WINDOWS\SYSTEM\HOST32.EXE <--file

Do another Scan with hijackthis and put a check next these entries and then FIX CHECKED AFTER ALL other windows are closed

O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - (no file)

O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\SYSTEM\host32.exe internat.dll,LoadKeyboardProfile <--this is not legitimate

O4 - HKLM\..\RunServices: [CRZT32.EXE] C:\WINDOWS\SYSTEM\CRZT32.EXE
O4 - HKLM\..\RunServices: [MFCNA.EXE] C:\WINDOWS\MFCNA.EXE
O4 - HKLM\..\RunServices: [CRKJ32.EXE] C:\WINDOWS\CRKJ32.EXE
O4 - HKLM\..\RunServices: [APIDE.EXE] C:\WINDOWS\SYSTEM\APIDE.EXE

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -


AFTER you have fix checked and closed hijackthis
Open About:Buster and run a scan, do it 2 times when prompted

RESTART your computer and run About:Buster one more time

Post back with a Fresh Hijackthis log and About:buster logs
Logged

guestolo

  • Guest
Hijackthis log. what is safe to delete
« Reply #5 on: September 12, 2004, 11:29:05 AM »
Sorry, I missed this entry
You can have hijackthis fix it
That was me up above

O9 - Extra button: downloadsoftware - {C8950078-94A4-4C32-BB9C-4666357965AF} - C:\download10\index.htm (file missing)
Logged
Pages: [1]
« previous next »