Hijack Log..plz help

Discussion in 'adware, spyware & hijack cleaning' started by mustang46, May 29, 2004.

Thread Status:
Not open for further replies.
  1. mustang46

    mustang46 Registered Member

    Joined:
    May 25, 2004
    Posts:
    2
    I have read earlier post about this russian porn crap I keep getting, downloaded Hijack This..deleted the bad stuff like the other person did, but it keeps coming back. How can I get rid of this for good.

    Logfile of HijackThis v1.97.7
    Scan saved at 12:36:51 PM, on 5/29/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\QUICKENW\QWDLLS.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\PROGRAM FILES\EARTHLINK TOTALACCESS\FASTLANE\IPCLIENT.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.ruserv.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.ruserv.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pretty.ru
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pretty.ru
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.ruserv.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.ruserv.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by EarthLink Network, Inc.
    O2 - BHO: (no name) - {2662BDD7-05D6-408F-B241-FF98FACE6054} - (no file)
    O2 - BHO: (no name) - {57E69D5A-6539-4d7d-9637-775DE8A385B4} - C:\PROGRAM FILES\XUPITER\XUPITERTOOLBAR.DLL (file missing)
    O2 - BHO: (no name) - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
    O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
    O2 - BHO: (no name) - {CF021F40-3E14-23A5-CBA2-717765721306} - C:\WINDOWS\SYSTEM\WER1306.DLL
    O2 - BHO: (no name) - {CF021F40-3E14-23A5-CBA2-717177658264} - C:\WINDOWS\SYSTEM\QWE8264.DLL
    O3 - Toolbar: Xupiter - {57E69D5A-6539-4d7d-9637-775DE8A385B4} - C:\PROGRAM FILES\XUPITER\XUPITERTOOLBAR.DLL (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
    O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
    O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
    O4 - HKCU\..\Run: [sws.exe] c:\program files\GlobalDialer\domer00114\GD-DIAL.EXE -remove
    O4 - Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: AIM (HKLM)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.norton.com/SSC/SharedContent/sc/bin/cabsa.cab
    O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\MAIN.MHT!http://d.dialer2004.com//inter/main.chm::/load.exe
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi mustang46,

    Could you please mail me: C:\WINDOWS\SYSTEM\QWE8264.DLL
    Use the address in my profile

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.ruserv.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.ruserv.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pretty.ru
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pretty.ru
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.ruserv.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.ruserv.com

    O2 - BHO: (no name) - {2662BDD7-05D6-408F-B241-FF98FACE6054} - (no file)
    O2 - BHO: (no name) - {57E69D5A-6539-4d7d-9637-775DE8A385B4} - C:\PROGRAM FILES\XUPITER\XUPITERTOOLBAR.DLL (file missing)
    O2 - BHO: (no name) - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL

    O2 - BHO: (no name) - {CF021F40-3E14-23A5-CBA2-717765721306} - C:\WINDOWS\SYSTEM\WER1306.DLL
    O2 - BHO: (no name) - {CF021F40-3E14-23A5-CBA2-717177658264} - C:\WINDOWS\SYSTEM\QWE8264.DLL
    O3 - Toolbar: Xupiter - {57E69D5A-6539-4d7d-9637-775DE8A385B4} - C:\PROGRAM FILES\XUPITER\XUPITERTOOLBAR.DLL (file missing)

    O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL

    O4 - HKCU\..\Run: [sws.exe] c:\program files\GlobalDialer\domer00114\GD-DIAL.EXE -remove

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\MAIN.MHT!http://d.dialer2004.com//inter/main.chm: :/load.exe

    Then reboot into safe mode and delete:
    c:\program files\GlobalDialer <= entire folder
    C:\PROGRAM FILES\MYWAY <= entire folder

    Regards,

    Pieter
     
  3. mustang46

    mustang46 Registered Member

    Joined:
    May 25, 2004
    Posts:
    2
    Thanks a lot Pieter,

    This is a stupid question, but how do you want me to email you
    C:\WINDOWS\SYSTEM\QWE8264.DLL
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
Thread Status:
Not open for further replies.