Hijack log file/Another Hotxxx victim!

Discussion in 'adware, spyware & hijack cleaning' started by lee_lotzof, Jun 28, 2004.

Thread Status:
Not open for further replies.
  1. lee_lotzof

    lee_lotzof Registered Member

    Joined:
    Jun 28, 2004
    Posts:
    2
    Hi Guys your help appreciated. My mum PC here and she has the dreaded Hotxxx dialer prob...i have ran Ad-aware on full scan and still probs of it reinstalling, changing home page etc etc.

    Log file as follows...

    Logfile of HijackThis v1.97.7
    Scan saved at 14:34:30, on 28/06/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MDM.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
    C:\Program Files\Netropa\Onscreen Display\OSD.exe
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\01 VGA BASH\DRV LITE BODY.EXE
    C:\WINDOWS\SYSTEM\HLSDZVK.EXE
    C:\WINDOWS\SYSTEM\LEXBCES.EXE
    C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
    C:\WANADOO\WANADOOCONNECTIONKIT\ATDIALLER1.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\TWAIN_32\1200USB\WATCH.EXE
    C:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\LEXPPS.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\KILLAFING3\KILLAFING3.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\MSGAOL.EXE
    C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\OPYV4PEN\HIJACKTHIS[1].EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pureseeker.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
    N1 - Netscape 4: user_pref("browser.startup.homepage","http://www.pureseeker.com"); (C:\Program Files\Netscape\Users\ray\prefs.js)
    O2 - BHO: (no name) - {7C0D0F1A-AA1F-4F43-94EC-3F88651C8C7F}} - (no file)
    O2 - BHO: (no name) - {7C0D0F1A-AA1F-4F43-94EC-3F88651C8C7F} - C:\PROGRAM FILES\KILLAFING3\KILLAFING3.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\WANADOO\WSBAR\WSBAR.DLL
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Multimedia Keyboard] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [Onscreen Display] C:\Program Files\Netropa\Onscreen Display\OSD.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [LexStart] lexstart.exe
    O4 - HKLM\..\Run: [compbeep] C:\PROGRA~1\01 vga bash\drv lite body.exe
    O4 - HKLM\..\Run: [MSZTCE] C:\WINDOWS\SYSTEM\MSZTCE.EXE
    O4 - HKLM\..\Run: [fpltsoovj] C:\WINDOWS\SYSTEM\hlsdzvk.exe
    O4 - HKLM\..\Run: [MicroDialler] C:\Wanadoo\WanadooConnectionKit\atdialler1.exe
    O4 - HKLM\..\Run: [StartMenu] C:\WINDOWS\msgaol.exe /i
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\RunServices: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Startup: Watch.lnk = C:\Windows\TWAIN_32\1200USB\WATCH.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
    O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\WANADOO\WSBAR\WSBAR.DLL/VSearch.htm
    O9 - Extra button: RealGuide (HKLM)
    O9 - Extra button: Freeserve (HKCU)
    O9 - Extra button: PB Home (HKCU)
    O12 - Plugin for .bmp: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
    O16 - DPF: ChatSpace Full Java Client 3.1.0.235 - http://chat-d1.freeserve.com/Java/cfs31235.cab
    O16 - DPF: ChatSpace Full Java Client 3.1.0.245 - http://chat-c1.freeserve.com/Java/cfs31245.cab
    O16 - DPF: {C56CE781-A6FC-4706-8B32-6EB4622155DF} (MediaConnect Control) - http://plugin.euro-infomedia.com/mpv0.cab
    O16 - DPF: {034CC2DC-3245-4B26-B5C7-7B8777739CB7} - http://64.62.232.4/gamesplayground/060548/uk/fullgames/fullgames.exe
    O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe

    thanks and i hope i have posted this a) in the right forum b)with the right information attached.

    Cheers
    Lee :cool:
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi lee_lotzof,


    Before you start, please unzip hijackthis to a separate folder. The program will make backups in the folder in the folder it's in.
    These easily get lost in a Temp folder.

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pureseeker.com

    N1 - Netscape 4: user_pref("browser.startup.homepage","http://www.pureseeker.com"); (C:\Program Files\Netscape\Users\ray\prefs.js)
    O2 - BHO: (no name) - {7C0D0F1A-AA1F-4F43-94EC-3F88651C8C7F}} - (no file)
    O2 - BHO: (no name) - {7C0D0F1A-AA1F-4F43-94EC-3F88651C8C7F} - C:\PROGRAM FILES\KILLAFING3\KILLAFING3.DLL

    O4 - HKLM\..\Run: [compbeep] C:\PROGRA~1\01 vga bash\drv lite body.exe
    O4 - HKLM\..\Run: [MSZTCE] C:\WINDOWS\SYSTEM\MSZTCE.EXE
    O4 - HKLM\..\Run: [fpltsoovj] C:\WINDOWS\SYSTEM\hlsdzvk.exe

    O4 - HKLM\..\Run: [StartMenu] C:\WINDOWS\msgaol.exe /i

    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab

    O16 - DPF: {C56CE781-A6FC-4706-8B32-6EB4622155DF} (MediaConnect Control) - http://plugin.euro-infomedia.com/mpv0.cab
    O16 - DPF: {034CC2DC-3245-4B26-B5C7-7B8777739CB7} - http://64.62.232.4/gamesplayground/060548/uk/fullgames/fullgames.exe
    O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe

    Then reboot into safe mode and delete:
    C:\PROGRAM FILES\KILLAFING3 <= entire folder
    C:\PROGRAM FILES\01 vga bash <= entire folder
    C:\WINDOWS\msgaol.exe
    C:\WINDOWS\SYSTEM\hlsdzvk.exe

    Regards,

    Pieter
     
  3. lee_lotzof

    lee_lotzof Registered Member

    Joined:
    Jun 28, 2004
    Posts:
    2
    Thanks Pieter for that!

    heres my new log file.


    Logfile of HijackThis v1.97.7
    Scan saved at 17:17:19, on 28/06/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MDM.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
    C:\Program Files\Netropa\Onscreen Display\OSD.exe
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WANADOO\WANADOOCONNECTIONKIT\ATDIALLER1.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\WINDOWS\TWAIN_32\1200USB\WATCH.EXE
    C:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE
    C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
    C:\WINDOWS\SYSTEM\LEXBCES.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\LEXPPS.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS[1].EXE

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
    N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Program Files\Netscape\Users\ray\prefs.js)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\WANADOO\WSBAR\WSBAR.DLL
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Multimedia Keyboard] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [Onscreen Display] C:\Program Files\Netropa\Onscreen Display\OSD.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [LexStart] lexstart.exe
    O4 - HKLM\..\Run: [MicroDialler] C:\Wanadoo\WanadooConnectionKit\atdialler1.exe
    O4 - HKLM\..\Run: [compbeep] C:\PROGRA~1\01VGAB~1\drv lite body.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Startup: Watch.lnk = C:\Windows\TWAIN_32\1200USB\WATCH.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
    O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\WANADOO\WSBAR\WSBAR.DLL/VSearch.htm
    O9 - Extra button: RealGuide (HKLM)
    O9 - Extra button: Freeserve (HKCU)
    O9 - Extra button: PB Home (HKCU)
    O12 - Plugin for .bmp: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
    O16 - DPF: ChatSpace Full Java Client 3.1.0.235 - http://chat-d1.freeserve.com/Java/cfs31235.cab
    O16 - DPF: ChatSpace Full Java Client 3.1.0.245 - http://chat-c1.freeserve.com/Java/cfs31245.cab

    i followed all your instuctions exactly!

    as you can see i could not delete
    O4 - HKLM\..\Run: [compbeep] C:\PROGRA~1\01VGAB~1\drv lite body.exe
    i would scan using hijack fix it and then rerun hijack and it wud appear again! :doubt:

    also when i hold ctrl + alt + delete i see a prog atdialler1 . bit i dont seem to have the hotxxx back yet....what do ya reckon?am i clearo_O?
     
Thread Status:
Not open for further replies.