Hijack Log..plz help

Discussion in 'adware, spyware & hijack cleaning' started by mustang46, May 29, 2004.

Thread Status:
Not open for further replies.
  1. mustang46

    mustang46 Registered Member

    Joined:
    May 25, 2004
    Posts:
    2
    I have read earlier post about this russian porn crap I keep getting, downloaded Hijack This..deleted the bad stuff like the other person did, but it keeps coming back. How can I get rid of this for good.

    Logfile of HijackThis v1.97.7
    Scan saved at 12:36:51 PM, on 5/29/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\QUICKENW\QWDLLS.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\PROGRAM FILES\EARTHLINK TOTALACCESS\FASTLANE\IPCLIENT.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.ruserv.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.ruserv.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pretty.ru
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pretty.ru
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.ruserv.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.ruserv.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by EarthLink Network, Inc.
    O2 - BHO: (no name) - {2662BDD7-05D6-408F-B241-FF98FACE6054} - (no file)
    O2 - BHO: (no name) - {57E69D5A-6539-4d7d-9637-775DE8A385B4} - C:\PROGRAM FILES\XUPITER\XUPITERTOOLBAR.DLL (file missing)
    O2 - BHO: (no name) - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
    O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
    O2 - BHO: (no name) - {CF021F40-3E14-23A5-CBA2-717765721306} - C:\WINDOWS\SYSTEM\WER1306.DLL
    O2 - BHO: (no name) - {CF021F40-3E14-23A5-CBA2-717177658264} - C:\WINDOWS\SYSTEM\QWE8264.DLL
    O3 - Toolbar: Xupiter - {57E69D5A-6539-4d7d-9637-775DE8A385B4} - C:\PROGRAM FILES\XUPITER\XUPITERTOOLBAR.DLL (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
    O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
    O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
    O4 - HKCU\..\Run: [sws.exe] c:\program files\GlobalDialer\domer00114\GD-DIAL.EXE -remove
    O4 - Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: AIM (HKLM)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.norton.com/SSC/SharedContent/sc/bin/cabsa.cab
    O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\MAIN.MHT!http://d.dialer2004.com//inter/main.chm::/load.exe
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,435
    Location:
    Netherlands
    Hi mustang46,

    Could you please mail me: C:\WINDOWS\SYSTEM\QWE8264.DLL
    Use the address in my profile

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.ruserv.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.ruserv.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pretty.ru
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pretty.ru
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.ruserv.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.ruserv.com

    O2 - BHO: (no name) - {2662BDD7-05D6-408F-B241-FF98FACE6054} - (no file)
    O2 - BHO: (no name) - {57E69D5A-6539-4d7d-9637-775DE8A385B4} - C:\PROGRAM FILES\XUPITER\XUPITERTOOLBAR.DLL (file missing)
    O2 - BHO: (no name) - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL

    O2 - BHO: (no name) - {CF021F40-3E14-23A5-CBA2-717765721306} - C:\WINDOWS\SYSTEM\WER1306.DLL
    O2 - BHO: (no name) - {CF021F40-3E14-23A5-CBA2-717177658264} - C:\WINDOWS\SYSTEM\QWE8264.DLL
    O3 - Toolbar: Xupiter - {57E69D5A-6539-4d7d-9637-775DE8A385B4} - C:\PROGRAM FILES\XUPITER\XUPITERTOOLBAR.DLL (file missing)

    O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL

    O4 - HKCU\..\Run: [sws.exe] c:\program files\GlobalDialer\domer00114\GD-DIAL.EXE -remove

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\MAIN.MHT!http://d.dialer2004.com//inter/main.chm: :/load.exe

    Then reboot into safe mode and delete:
    c:\program files\GlobalDialer <= entire folder
    C:\PROGRAM FILES\MYWAY <= entire folder

    Regards,

    Pieter
     
  3. mustang46

    mustang46 Registered Member

    Joined:
    May 25, 2004
    Posts:
    2
    Thanks a lot Pieter,

    This is a stupid question, but how do you want me to email you
    C:\WINDOWS\SYSTEM\QWE8264.DLL
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,435
    Location:
    Netherlands
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.