HiJack This help

Discussion in 'adware, spyware & hijack cleaning' started by splicha, Mar 30, 2004.

Thread Status:
Not open for further replies.
  1. splicha

    splicha Registered Member

    Joined:
    Mar 30, 2004
    Posts:
    10
    I've got a bunch of stuff in my HiJack This scan that I think needs to go... but I'm not sure... Help!
     
    splicha, Mar 30, 2004
    #1
  2. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,475
    Location:
    The Netherlands
    Please post your full log file ;)

    regards.

    paul
     
    Paul Wilders, Mar 30, 2004
    #2
  3. splicha

    splicha Registered Member

    Joined:
    Mar 30, 2004
    Posts:
    10
    I have been trying to post my LOG file but cannot get the darn thing to go through. Any ideas?
     
    splicha, Mar 30, 2004
    #3
  4. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,703
    Location:
    North Carolina, USA
    Just copy and paste it into your post..... That is easier and better that trying to add it as an attachment....

    HTH....

    Regards,
    Kent
     
    puff-m-d, Mar 30, 2004
    #4
  5. splicha

    splicha Registered Member

    Joined:
    Mar 30, 2004
    Posts:
    10
    I have tried posting it 3 times now and it keeps "timing out". Any ideas?
     
    splicha, Mar 30, 2004
    #5
  6. splicha

    splicha Registered Member

    Joined:
    Mar 30, 2004
    Posts:
    10
    I've tried that 3 times. No luck. o_O?? Still timing out.
     
    splicha, Mar 30, 2004
    #6
  7. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,703
    Location:
    North Carolina, USA
    Try emailing it to the address in my profile and I will post it for you.

    Kent
     
    puff-m-d, Mar 30, 2004
    #7
  8. splicha

    splicha Registered Member

    Joined:
    Mar 30, 2004
    Posts:
    10
    Hey, I just emailed it to you. Thank you for the help!
     
    splicha, Mar 30, 2004
    #8
  9. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,703
    Location:
    North Carolina, USA
    Posted for splicha...
    I will have a fix in a few minutes.....

    Here is my log. Thanks for the help.
    Splicha

    Logfile of HijackThis v1.97.7
    Scan saved at 2:57:36 PM, on 3/30/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\STARTER.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [bymer.scanner] "c:\windows\system\wininit.exe"
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [Microsoft WebServer] C:\Program Files\WebSvr\System\svctrl /init
    O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee Office\McAfee VirusScan\alogserv.exe
    O4 - HKLM\..\Run: [Vshwin32EXE] C:\Program Files\McAfee\McAfee Office\McAfee VirusScan\VSHWIN32.EXE
    O4 - HKLM\..\Run: [Microsoft Diagnostic] C:\WINDOWS\SYSTEM\uqlnd.exe
    O4 - HKLM\..\Run: [xlbyacnl] C:\WINDOWS\SYSTEM\qqefxbcp.exe
    O4 - HKLM\..\Run: [AccessRampMonitor] C:\WINDOWS\INTUIT\SHARED\ARMon32.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [systray] C:\WINDOWS\SYSTEM\A.EXE
    O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
    O4 - HKLM\..\RunServices: [distributed.net client] "C:\WINDOWS\SYSTEM\dnetc.exe" -hide
    O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee Office\McAfee VirusScan\AVSYNMGR.EXE
    O4 - HKLM\..\RunServices: [V128IID] Rundll32.exe C:\WINDOWS\SYSTEM\v128iitw.dll,STB_InitTweak
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [McAfee Image] "C:\Program Files\McAfee\McAfee Shared Components\McAfee Image\image32.exe" /AUTO
    O4 - HKLM\..\RunServices: [Microsoft WebServer] C:\Program Files\WebSvr\System\inetsw95.exe -w3svc
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\aim.exe -cnetwait.odl
    O4 - Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe
    O4 - Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
    O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt1_x.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37866.4591666667
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/vet_install_popup.pl?1&04.00.07.02&http://www.scion.com/config/xa/xa_include.htm
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
    O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt0_x.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v5.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
    O16 - DPF: {33288993-5664-11D4-8B5B-00D0B73B3518} (ell Class) - http://www.easports.com/downloads/games/common/ieell.cab
    O16 - DPF: {ECF5F2BD-C78B-4C6F-91BB-2A311FCCA4C7} (WTApp Class) - http://www.shockwave.com/content/combat_medic/CMonline.dll
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = sbcglobal.net
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 4.2.2.2,4.2.2.1
     
    puff-m-d, Mar 30, 2004
    #9
  10. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,703
    Location:
    North Carolina, USA
    Hi splicha,

    Welcome to Wilders.

    Before you start, please unzip or move HijackThis to a separate folder. The program will make backups in the folder it's in. These easily get lost in a temporary folder.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    O4 - HKLM\..\Run: [bymer.scanner] "c:\windows\system\wininit.exe"

    O4 - HKLM\..\Run: [Microsoft Diagnostic] C:\WINDOWS\SYSTEM\uqlnd.exe
    O4 - HKLM\..\Run: [xlbyacnl] C:\WINDOWS\SYSTEM\qqefxbcp.exe

    O4 - HKLM\..\Run: [systray] C:\WINDOWS\SYSTEM\A.EXE

    Then reboot in Safe Mode and delete the following:

    c:\windows\system\wininit.exe
    C:\WINDOWS\SYSTEM\uqlnd.exe
    C:\WINDOWS\SYSTEM\qqefxbcp.exe
    C:\WINDOWS\SYSTEM\A.EXE

    Reboot and then post a fresh HijackThis log.

    Regards,
    Kent
     
    puff-m-d, Mar 30, 2004
    #10
  11. splicha

    splicha Registered Member

    Joined:
    Mar 30, 2004
    Posts:
    10
    I'm not sure how to "Reboot in Safe Mode"... ?
     
    splicha, Mar 30, 2004
    #11
  12. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,703
    Location:
    North Carolina, USA
    puff-m-d, Mar 30, 2004
    #12
  13. splicha

    splicha Registered Member

    Joined:
    Mar 30, 2004
    Posts:
    10
    OK, I'm back after Hi'jacking and deleting files. I'm still getting a "time out" when I try to post my new log file. Can I email it again?
     
    splicha, Mar 30, 2004
    #13
  14. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,703
    Location:
    North Carolina, USA
    No problem....

    Kent
     
    puff-m-d, Mar 30, 2004
    #14
  15. splicha

    splicha Registered Member

    Joined:
    Mar 30, 2004
    Posts:
    10
    I just emailed the log file. I really appreciate all the help.
     
    splicha, Mar 30, 2004
    #15
  16. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,703
    Location:
    North Carolina, USA
    Posted for splicha...
    I will be back in a few minutes with an analysis.....

    Logfile of HijackThis v1.97.7
    Scan saved at 4:28:24 PM, on 3/30/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\DNETC.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\WEBSVR\SYSTEM\INETSW95.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\STARTER.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\COREL\GRAPHICS8\PROGRAMS\MFINDEXER.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
    C:\WINDOWS\DESKTOP\HIJACK THIS\HIJACKTHIS.EXE

    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [Microsoft WebServer] C:\Program Files\WebSvr\System\svctrl /init
    O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee Office\McAfee VirusScan\alogserv.exe
    O4 - HKLM\..\Run: [Vshwin32EXE] C:\Program Files\McAfee\McAfee Office\McAfee VirusScan\VSHWIN32.EXE
    O4 - HKLM\..\Run: [AccessRampMonitor] C:\WINDOWS\INTUIT\SHARED\ARMon32.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
    O4 - HKLM\..\RunServices: [distributed.net client] "C:\WINDOWS\SYSTEM\dnetc.exe" -hide
    O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee Office\McAfee VirusScan\AVSYNMGR.EXE
    O4 - HKLM\..\RunServices: [V128IID] Rundll32.exe C:\WINDOWS\SYSTEM\v128iitw.dll,STB_InitTweak
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [McAfee Image] "C:\Program Files\McAfee\McAfee Shared Components\McAfee Image\image32.exe" /AUTO
    O4 - HKLM\..\RunServices: [Microsoft WebServer] C:\Program Files\WebSvr\System\inetsw95.exe -w3svc
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\aim.exe -cnetwait.odl
    O4 - Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe
    O4 - Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
    O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt1_x.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37866.4591666667
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/vet_install_popup.pl?1&04.00.07.02&http://www.scion.com/config/xa/xa_include.htm
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
    O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt0_x.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v5.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
    O16 - DPF: {33288993-5664-11D4-8B5B-00D0B73B3518} (ell Class) - http://www.easports.com/downloads/games/common/ieell.cab
    O16 - DPF: {ECF5F2BD-C78B-4C6F-91BB-2A311FCCA4C7} (WTApp Class) - http://www.shockwave.com/content/combat_medic/CMonline.dll
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = sbcglobal.net
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 4.2.2.2,4.2.2.1
     
    puff-m-d, Mar 30, 2004
    #16
  17. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,703
    Location:
    North Carolina, USA
    Hi splicha,

    Your log looks clean now, good work!

    One of the experts here should be by in a few hours and I will have them look at your log to see if they see anything that could be causing your time out issue.....

    Regards,
    Kent
     
    puff-m-d, Mar 30, 2004
    #17
  18. splicha

    splicha Registered Member

    Joined:
    Mar 30, 2004
    Posts:
    10
    Thanks a million. I'll check back again later. Thanks again.
     
    splicha, Mar 30, 2004
    #18
  19. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    I'm inclined to think this is the slow down problem

    O4 - HKLM\..\RunServices: [distributed.net client] "C:\WINDOWS\SYSTEM\dnetc.exe" -hide

    http://support.microsoft.com/default.aspx?scid=kb;en-us;q276283

    Run an online antivirus check from at least one and preferably 2 of the following sites
    http://security.symantec.com/default.asp?
    http://housecall.trendmicro.com/
    http://www.pandasoftware.com/activescan/
    http://www.ravantivirus.com/scan/
    http://www3.ca.com/virusinfo/
    http://www.anti-trojan.net/en/onlinecheck.aspx

    and see what they find


    edited to add url tags
     
    dvk01, Mar 31, 2004
    #19
  20. splicha

    splicha Registered Member

    Joined:
    Mar 30, 2004
    Posts:
    10
    I am still getting a "time out" message trying to post most things. I just emailed you again.
    Thanks.
     
    splicha, Mar 31, 2004
    #20
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...