PLZ HELP

sunita · Dec 29, 2003

I DOWNLOADED HIJACK THIS 1.72.7 . I DONT KNOW HOW TO POST LOGS IN THIS FORUMS

LowWaterMark · Dec 29, 2003

Okay, just to make sure we're starting from the same place on this problem, here are the typical instructions for downloading and running HijackThis...

Go to http://www.tomcoyote.org/hjt and download "HijackThis!" (via button in the left section with flashing green light next to it). Unzip it. Run the HijackThis.exe file and press the [Scan] button... When the scan is finished, the [Scan] button will change into a [Save Log] button. Press that, save the log somewhere and paste the contents into a post here for us to look at.

Note that much of what will be listed there is correct and should not be fixed. So, just post the output here and let's see if the people here can help identify the problem.
Click to expand...

Now, the current version of HijackThis is 1.97.7 and it is available at the link above. It comes down to your system in a ZIP file. You need to open that file to run the HijackThis.exe program that is inside it. Are you able to do that?

If so, notice the instructions say to first hit the [Scan] button, wait for the scan to finish, then that button changes into a [Save Log] button. When you press that and save the log to your disk, it generally will open in Notepad. You need to select all of the log in Notepad and Copy/Paste the entire contents into a reply in this thread.

You don't need to worry about trying to "attach" a log file or anything like that. Just copy and paste the log into the post "message" window and post the reply here.

yokenny · Dec 29, 2003

HijackThis (HJT) should be placed in an easy to acess folder with DOS just in case a restore from backup is necessary.

Go to My Computer (Windows key+e) then open the boot drive usually C: then right click then choose New then Folder and name it HJT.

Download, unzip and then run HJT from this folder.

sunita · Dec 29, 2003

CHECK MY LOGS PLZ

Logfile of HijackThis v1.97.7
Scan saved at 11:42:21 AM, on 12/29/03
Platform: Windows 98 SE
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\RAMBOOSTER\RAMBOOSTER.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://pbar.net/PBar/custom_search.php?lang=1&bar_id=BADBADFIHBzQNXDBHTHTM
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://pbar.net/PBar/custom_search.php?lang=1&bar_id=BADBADFIHBzQNXDBHTHTM
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rediffmail.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://pbar.net/PBar/custom_search.php?lang=1&bar_id=BADBADFIHBzQNXDBHTHTM
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://pbar.net/PBar/custom_search.php?lang=1&bar_id=BADBADFIHBzQNXDBHTHTM
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://pbar.net/PBar/custom_search.php?lang=1&bar_id=BADBADFIHBzQNXDBHTHTM
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=202.140.148.174:80;https=200.74.139.19:81
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://www.chat.yahoo.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_11_0.DLL
O2 - BHO: (no name) - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\PROGRA~1\FRESHD~1\FRESHD~1\FDCATCH.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_11_0.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [WFIPS] C:\WINDOWS\TEMP\IP HIDER.EXE -autoboot
O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashserv.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37869.5081018519
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://us.i1.yimg.com/us.yimg.com/i/chat/webcam/v110/yvwrctl.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/d2c89f68a1bb5a/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab
O16 - DPF: msvcp71 - http://download.pestpatrol.com/Downloads/Components/msvcp71.cab
O16 - DPF: msvcr71 - http://download.pestpatrol.com/Downloads/Components/msvcr71.cab
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: mscomctl - http://www.pestscan.com/scanner/mscomctl.cab
O16 - DPF: axscannerruntime - http://www.pestscan.com/scanner/axscannerruntime.cab
O16 - DPF: axscanner - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4310/mcfscan.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = etcnetwork
O17 - HKLM\System\CCS\Services\VxD\MSTCP

Pieter_Arntz · Dec 29, 2003

Hi sunita,

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://pbar.net/PBar/custom_search.php?lang=1&bar_id=BADBADFIHBzQNXDBHTHTM
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://pbar.net/PBar/custom_search.php?lang=1&bar_id=BADBADFIHBzQNXDBHTHTM

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://pbar.net/PBar/custom_search.php?lang=1&bar_id=BADBADFIHBzQNXDBHTHTM
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://pbar.net/PBar/custom_search.php?lang=1&bar_id=BADBADFIHBzQNXDBHTHTM
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://pbar.net/PBar/custom_search.php?lang=1&bar_id=BADBADFIHBzQNXDBHTHTM
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

O2 - BHO: (no name) - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - (no file)

O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\PROGRA~1\FRESHD~1\FRESHD~1\FDCATCH.DLL (file missing)

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Then reboot and keep us posted.

Regards,

Pieter

Log in or Sign up

PLZ HELP

sunita Registered Member

LowWaterMark Administrator

yokenny Registered Member

sunita Registered Member

Pieter_Arntz Spyware Veteran

Log in or Sign up

PLZ HELP

sunita Registered Member

LowWaterMark Administrator

yokenny Registered Member

sunita Registered Member

Pieter_Arntz Spyware Veteran

Useful Searches