Help plz. [Archive] - Wilders Security Forums

Espart

October 11th, 2003, 09:52 AM

Would you plz help me with this HijackThis log file. Thanks much in advance.

Logfile of HijackThis v1.97.2
Scan saved at 21:30:58, on 09.10.2003
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAMFILER\MESSENGER PLUS! 2\MSGPLUS.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAMFILER\ROXIO\WINONCD\DIRECTCD\DIRECTCD.EXE
C:\PROGRAMFILER\FELLESFILER\REAL\UPDATE_OB\EVNTSVC.EXE
C:\PROGRAMFILER\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAMFILER\FREE DOWNLOADS ACCELERATOR\FDAAGENT.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAMFILER\DAP\DAP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAMFILER\WINRAR\WINRAR.EXE
C:\WINDOWS\TEMP\RAR$EX01.304\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/ /> R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/ymsgr/defaul...://my.yahoo.com /> R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: (no name) - {98DE779A-2364-4293-AB71-2B97C61C4640} - C:\PROGRA~1\FREEDO~1\FDAHLP99.DLL
O3 - Toolbar: &Kangaroo - {663C7429-E454-11D3-B9AE-0000B4C32B4D} - C:\IDC\WEBKA.DLL
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: FDA Bar - {9595C62C-76C6-49A6-9BDA-3253DD7A34FF} - C:\PROGRAMFILER\FREE DOWNLOADS ACCELERATOR\FDABAR99.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programfiler\Roxio\WinOnCD\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAMFILER\WINAMP\WINAMPa.exe"
O4 - HKLM\..\Run: [TkBellExe] C:\Programfiler\Fellesfiler\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\Zone Labs\ZoneAlarm\zapro.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [AvxIni] c:\programfiler\softwin\bdhome\avxinit.exe
O4 - HKLM\..\RunServices: [MessengerPlus2] "C:\Programfiler\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Programfiler\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Programfiler\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAMFILER\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: Symantec Setup Launcher.lnk = C:\WINDOWS\TEMP\SymLnch.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Download with Free Downloads Accelerator - C:\Programfiler\Free Downloads Accelerator\fdaie.htm
O9 - Extra button: Kangaroo (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Net2Phone (HKLM)
O9 - Extra 'Tools' menuitem: Net2Phone (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab /> O16 - DPF: {73973630-3F6B-4112-972E-F9CB01365C1F} (PalInstl Class) - http://www.paltalk.com/paltalk2/Download/InstlWiz.CAB /> O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab /> O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003080...all/xscan53.cab /> O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab /> O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.norton.com/SSC/SharedCont...c/bin/cabsa.cab /> O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab /> O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://www.paltalk.com/prod/RegDload.CAB /> O16 - DPF: {B842835B-769C-4041-9E0C-5CCC1D0334AB} (kevin.UserControl1) - http://voicecafe.optecs.net/kevin/kevin.CAB /> O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab /> O16 - DPF: {FE8287E9-5F43-11D3-ABCA-00105A5C1F46} (HouseCall Control) - http://www.housecall.nl/housecall/xscan4.cab /> O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt0_x.cab /> O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cab /> O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt0_x.cab /> O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab /> O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt0_x.cab /> O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot2_x.cab /> O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.communities.msn.com/controls/PhotoUC/MsnPUpld.cab /> O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://sc.communities.msn.com/controls/chat/msnchat42.cab />

Pieter_Arntz

October 11th, 2003, 11:41 AM

Hi Espart,

There is not very much wrong with your log.

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O9 - Extra button: Net2Phone (HKLM)
O9 - Extra 'Tools' menuitem: Net2Phone (HKLM)

Then reboot.

Was there any special reason you posted your log?

Regards,

Pieter

Espart

October 11th, 2003, 11:49 AM

Thanks alot i will do what u said and the reason i posted the log file was that my loving computer is infected by this virus or whatever its called Dialer...I tried some anti virus programs, but they couldn't remove the virus.

BWMerlin

October 11th, 2003, 10:08 PM

If u have a dialer u will need a differnt program such as spybot search and destroy. U can dl it from the link in my signature.

TonyKlein

October 12th, 2003, 05:54 PM

I'm curious about this startup entry:

O4 - Startup: Symantec Setup Launcher.lnk = C:\WINDOWS\TEMP\SymLnch.exe

I've never heard of it before, and I somehow doubt it's indeed by Symantec.
But that should be easy to find out:

Please find the C:\WINDOWS\TEMP\SymLnch.exe file, rightclick it, and choose 'Properties'.

What does it say?

If it's not by Symantec, please send a copy of the file to this e-mail address (submit-stuff@xs4all.nl) for analysis.
It smells like a baddie, and in that case we'd want to forward copies to the developers ASAP!

We'd appreciate it! :)

Subsequently have Hijack This fix that line, reboot, and delete the ENTIRE contents of your C:\Windows\Temp folder.

Cheers,