Hijack This Log help

Discussion in 'adware, spyware & hijack cleaning' started by mleanie fish, Feb 26, 2004.

Thread Status:
Not open for further replies.
  1. mleanie fish

    mleanie fish Guest

    I think I need some help here please! I have run Spybot, Adaware, CWshredder and have SpyBlaster, HijackBlaster on tap. Over the last few days a few strange things have happened that make me suspicious.

    1. On startup my System Folder opens automatically
    2. IE has been extremely slow
    3. I've had radom issues accessing web pages primarily those related to merjin sites, tomcoyote, etc
    4. Rapid Blaster keeps showing up in Spybot even when I rerun on startup
    5. Strange (to me) looking stuff in my hijack log

    Bottom line is I'm stumped and if anyone can help, I appreciate it.

    Here is the log:

    Logfile of HijackThis v1.97.7
    Scan saved at 5:59:50 PM, on 2/26/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\WINDOWS\SYSTEM\MDM.EXE
    C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
    C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
    C:\WINDOWS\DELAYRUN.EXE
    C:\WINDOWS\SYSTEM\HIDSERV.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
    C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
    C:\DOWNLOAD\HIJACKTHIS.EXE
    C:\PROGRAM FILES\RAPIDBLASTER\RB32.EXE
    C:\WINDOWS\RunDLL.exe
    C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
    C:\PROGRAM FILES\RAMBOOSTER\RAMBOOSTER.EXE
    C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hp.my.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hp.my.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autoproxy.verizon.com/cgi-bin/getProxy
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R3 - Default URLSearchHook is missing
    O1 - Hosts: 127.127.127.127 elite
    O1 - Hosts: 217.116.231.7 aimtoday.aol.com
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
    O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
    O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O4 - HKLM\..\Run: [<H] c:\Windows\System\<HEAD>
    O4 - HKLM\..\Run: [ <TITLE>Error</TI] c:\Windows\System\ <TITLE>Error</TITLE>
    O4 - HKLM\..\Run: [</H] c:\Windows\System\</HTML>
    O4 - HKLM\..\Run: [<B] c:\Windows\System\<BODY>
    O4 - HKLM\..\Run: [The site you have requested doesn't ex] c:\Windows\System\The site you have requested doesn't exist.
    O4 - HKLM\..\Run: [] c:\Windows\System\
    O4 - HKLM\..\Run: [The associated domain name has probably been reserved by a client ] c:\Windows\System\The associated domain name has probably been reserved by a client from
    O4 - HKLM\..\Run: [<A HREF="http://www.gandi.net/">GANDI</A> then par] c:\Windows\System\<A HREF="http://www.gandi.net/">GANDI</A> then parked.
    O4 - HKLM\..\Run: [</B] c:\Windows\System\</BODY>
    O4 - HKLM\..\Run: [rb32 ml805e] "C:\Program Files\RapidBlaster\rb32.exe"
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
    O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
    O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - HKCU\..\Run: [MSMSGS] C:\PROGRA~1\MESSEN~1\msmsgs.exe /background
    O4 - HKCU\..\Run: [RamBooster] C:\PROGRAM FILES\RAMBOOSTER\RAMBOOSTER.EXE
    O4 - HKCU\..\Run: [<H] c:\Windows\System\<HEAD>
    O4 - HKCU\..\Run: [ <TITLE>Error</TI] c:\Windows\System\ <TITLE>Error</TITLE>
    O4 - HKCU\..\Run: [</H] c:\Windows\System\</HTML>
    O4 - HKCU\..\Run: [<B] c:\Windows\System\<BODY>
    O4 - HKCU\..\Run: [The site you have requested doesn't ex] c:\Windows\System\The site you have requested doesn't exist.
    O4 - HKCU\..\Run: [] c:\Windows\System\
    O4 - HKCU\..\Run: [The associated domain name has probably been reserved by a client ] c:\Windows\System\The associated domain name has probably been reserved by a client from
    O4 - HKCU\..\Run: [<A HREF="http://www.gandi.net/">GANDI</A> then par] c:\Windows\System\<A HREF="http://www.gandi.net/">GANDI</A> then parked.
    O4 - HKCU\..\Run: [</B] c:\Windows\System\</BODY>
    O4 - HKCU\..\RunServices: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - HKCU\..\RunServices: [MSMSGS] C:\PROGRA~1\MESSEN~1\msmsgs.exe /background
    O4 - HKCU\..\RunServices: [RamBooster] C:\PROGRAM FILES\RAMBOOSTER\RAMBOOSTER.EXE
    O4 - HKCU\..\RunServices: [<H] c:\Windows\System\<HEAD>
    O4 - HKCU\..\RunServices: [ <TITLE>Error</TI] c:\Windows\System\ <TITLE>Error</TITLE>
    O4 - HKCU\..\RunServices: [</H] c:\Windows\System\</HTML>
    O4 - HKCU\..\RunServices: [<B] c:\Windows\System\<BODY>
    O4 - HKCU\..\RunServices: [The site you have requested doesn't ex] c:\Windows\System\The site you have requested doesn't exist.
    O4 - HKCU\..\RunServices: [] c:\Windows\System\
    O4 - HKCU\..\RunServices: [The associated domain name has probably been reserved by a client ] c:\Windows\System\The associated domain name has probably been reserved by a client from
    O4 - HKCU\..\RunServices: [<A HREF="http://www.gandi.net/">GANDI</A> then par] c:\Windows\System\<A HREF="http://www.gandi.net/">GANDI</A> then parked.
    O4 - HKCU\..\RunServices: [</B] c:\Windows\System\</BODY>
    O4 - Startup: Quicken Scheduled Updates.lnk = C:\Quickenw\bagent.exe
    O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: SideStep (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
    O15 - Trusted Zone: http://office.microsoft.com.
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/ProductUpdates/content/opuc.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.25.152/code/PWActiveXImgCtl.CAB
    O16 - DPF: JavaConnect - http://ttst01.verizon.com/sametime/javaconnect/JavaConnect.cab
    O16 - DPF: {E581F2C0-9293-11D0-B132-00A0249C49D7} (Net-It jDoc PrintGraphics) - http://sndocapp01.verizon.com/workbook/jdocprtm.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://verizon.webex.com/client/latest/webex/ieatgpc.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37891.7975578704
    O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://aol.musicnotes.com/download/mnviewer.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://download.verizon.com/files/5/isetup.cab
    O16 - DPF: {24CEC0BF-C8BC-4BCB-B804-226326B319EF} (JNILoader Control) - http://ttst01.verizon.com/sametime/STMeetingRoomClient/STJNILoader.cab
    O16 - DPF: Sametime Meeting Room Client ST30IF3 - http://ttst01.verizon.com/sametime/stmeetingroomclient/STMeetingRoomClient.cab
    O16 - DPF: {E04EAE82-14AD-41CB-BF5A-45556ABB8347} (WebCoachDownload Class) - http://esupport.aol.com/help/engine/aolcinst.cab
    O16 - DPF: {2DFA3F5C-C7D8-44C2-A420-EC11E00C3F28} (DLXControl Class) - http://itrdoc.verizon.com/doc/RetailPresoRep/DisplayListX.cab
    O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://usmdsilcheted01.us2.ent.verizon.com/viewer/activeXViewer/activexviewer.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} - http://download.sidestep.com/get/k00726/sb028.cab
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = verizon.com
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = Verizon.com
     
  2. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Hi mleanie fish :)

    Welcome to Wilders.

    The reason u are having trouble with Merijin and Tom Coyote sites is because they have been under a dos attack now for over a week. :(

    If u are having trouble with RapidBlaster u can download RapidBlaster Killer at this link,

    http://www.wilderssecurity.net/specialinfo/rapidblaster.html

    As for your log, one of the experts will be along to give u recommendations.


    Thanks


    snowbound
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi mleanie fish,

    After using RapidBlaster, check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R3 - Default URLSearchHook is missing
    O1 - Hosts: 127.127.127.127 elite

    O4 - HKLM\..\Run: [] c:\Windows\System\

    O4 - HKLM\..\Run: [rb32 ml805e] "C:\Program Files\RapidBlaster\rb32.exe" <= if still present

    O4 - HKCU\..\RunServices: [] c:\Windows\System\

    Then reboot, run HijackThis again and post a new log.

    Regards,

    Pieter
     
  4. Melanie Fish

    Melanie Fish Guest

    Thanks for your help! This site restores my faith in mankind because these hackers and Spyware/Malware folks are really irritating!

    Hopefully this will take care of Rapid Blaster. I've ran Rapid Blaster earlier this week and as I've read it does reappear. Does anyone know if RB is responsible for the Gandi.Net and HTML tags that appeared in the Hijack Log? I have removed those several times too recently but it keeps appearing.

    Here is my log and again my thanks to all of your for keeping me sane just a little longer!

    Logfile of HijackThis v1.97.7
    Scan saved at 6:16:04 AM, on 2/27/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\WINDOWS\SYSTEM\MDM.EXE
    C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
    C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
    C:\WINDOWS\SYSTEM\HIDSERV.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
    C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
    C:\WINDOWS\RunDLL.exe
    C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
    C:\PROGRAM FILES\RAMBOOSTER\RAMBOOSTER.EXE
    C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
    C:\WINDOWS\WUAUCLT.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
    C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\DOWNLOAD\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hp.my.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hp.my.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autoproxy.verizon.com/cgi-bin/getProxy
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O1 - Hosts: 217.116.231.7 aimtoday.aol.com
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
    O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
    O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
    O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
    O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - HKCU\..\Run: [MSMSGS] C:\PROGRA~1\MESSEN~1\msmsgs.exe /background
    O4 - HKCU\..\Run: [RamBooster] C:\PROGRAM FILES\RAMBOOSTER\RAMBOOSTER.EXE
    O4 - Startup: Quicken Scheduled Updates.lnk = C:\Quickenw\bagent.exe
    O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: SideStep (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
    O15 - Trusted Zone: http://office.microsoft.com.
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/ProductUpdates/content/opuc.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.25.152/code/PWActiveXImgCtl.CAB
    O16 - DPF: JavaConnect - http://ttst01.verizon.com/sametime/javaconnect/JavaConnect.cab
    O16 - DPF: {E581F2C0-9293-11D0-B132-00A0249C49D7} (Net-It jDoc PrintGraphics) - http://sndocapp01.verizon.com/workbook/jdocprtm.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://verizon.webex.com/client/latest/webex/ieatgpc.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37891.7975578704
    O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://aol.musicnotes.com/download/mnviewer.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://download.verizon.com/files/5/isetup.cab
    O16 - DPF: {24CEC0BF-C8BC-4BCB-B804-226326B319EF} (JNILoader Control) - http://ttst01.verizon.com/sametime/STMeetingRoomClient/STJNILoader.cab
    O16 - DPF: Sametime Meeting Room Client ST30IF3 - http://ttst01.verizon.com/sametime/stmeetingroomclient/STMeetingRoomClient.cab
    O16 - DPF: {E04EAE82-14AD-41CB-BF5A-45556ABB8347} (WebCoachDownload Class) - http://esupport.aol.com/help/engine/aolcinst.cab
    O16 - DPF: {2DFA3F5C-C7D8-44C2-A420-EC11E00C3F28} (DLXControl Class) - http://itrdoc.verizon.com/doc/RetailPresoRep/DisplayListX.cab
    O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://usmdsilcheted01.us2.ent.verizon.com/viewer/activeXViewer/activexviewer.cab
    O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} - http://download.sidestep.com/get/k00726/sb028.cab
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = verizon.com
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = Verizon.com
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Melanie,

    At least we managed to make your log readable. :)

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    O1 - Hosts: 217.116.231.7 aimtoday.aol.com

    O9 - Extra button: SideStep (HKLM)

    O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} - http://download.sidestep.com/get/k00726/sb028.cab

    That should do it.

    Read this on how to minimize the risk of infection: http://boards.cexx.org/viewtopic.php?t=957.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.