Hijack This Log -Please help

Discussion in 'adware, spyware & hijack cleaning' started by Old Laughin Lady, Jun 26, 2004.

Thread Status:
Not open for further replies.
  1. Old Laughin Lady

    Old Laughin Lady Registered Member

    Joined:
    Jun 24, 2004
    Posts:
    3
    Thanks for your advice, info requested as follows, hopefully carried out correctly as I am no expert with computers -Used Spybot S&D - Experiencing Yoogee takeover and constant popups and unable to access the internet for any length of time. I get logged out, system crashes and I have to constantly reboot from modem.
    I want rid of the parasites that haunt my system so that I can browse with confident that I am not under any threat/privacy scares from these nasties. :mad:
    There is one problem in Spybot, and when I try to fix it the computer crashes-
    CoolWWWSearch.HTMLedit -C:\WINDOWS\SYSTEM\DReplace.dll

    Please help me clear up my system.

    Thanks
    OLL :D
    Logfile of HijackThis v1.97.7
    Scan saved at 10:36:51, on 26/06/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\WINDOWS\SYSTEM\CTFMON.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\MY DOCUMENTS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http:///
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = 69.61.38.52
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http:///
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ultralinks.info/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ultralinks.info/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http:///
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http:///
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ultralinks.info/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http:///
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http:///
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ultralinks.info/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http:///
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http:///
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http:///
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.search-1.net/search.html
    R3 - Default URLSearchHook is missing
    F1 - win.ini: run=C:\WINDOWS\svcpack.exe
    O1 - Hosts: 69.61.38.52 ie.search.msn.com
    O1 - Hosts: 69.61.38.54 uh-oh.net www.uh-oh.net www.thumbnailseries.com thumbnailseries.com
    O1 - Hosts: 69.61.38.54 amandalist.com www.amandalist.com www.absolut-series.com absolut-series.com lloronas.com www.lloronas.com p0rno.org www.p0rno.org
    O1 - Hosts: 69.61.38.54 dianapost.com www.dianapost.com www.xnxx.com xnxx.com www.zadina.com zadina.com www.frogsex.com frogsex.com
    O1 - Hosts: 69.61.38.54 www.mature-post.com mature-post.com www.call-kelly.com call-kelly.com www.boneme.com boneme.com sexyfotky.cz www.sexyfotky.cz
    O1 - Hosts: 69.61.38.54 sexape.com www.sexape.com picwarehouse.com www.picwarehouse.com cowlist.com www.cowlist.com sublimedirectory.com sexocean.com www.sexocean.com rubias19.com www.rubias19.com
    O1 - Hosts: 69.61.38.54 www.sublimedirectory.com www.88by88.com 88by88.com elreyano.com www.elreyano.com purextc.com www.purextc.com madthumbs.com www.madthumbs.com
    O1 - Hosts: 69.61.38.54 muyzorras.com www.muyzorras.com *****.org www.*****.org freesmutseries.net www.freesmutseries.net porno-pics-free.com www.porno-pics-free.com catlist.com
    O1 - Hosts: 69.61.38.54 pichunter.com www.pichunter.com teeniefiles.com www.teeniefiles.com bunnyteens.com www.bunnyteens.com jpeg4free.com www.jpeg4free.com www.catlist.com
    O1 - Hosts: 69.61.38.54 amateurcurves.com www.amateurcurves.com hammervideo.com www.hammervideo.com rawpussy.com www.rawpussy.com teeniesxxx.com www.teeniesxxx.com porn-view.com www.porn-view.com
    O1 - Hosts: 69.61.38.54 pornstarfinder.net www.pornstarfinder.net jennysbookmarks.com www.jennysbookmarks.com babes4free.com www.babes4free.com 3pic.com www.3pic.com ****k.com www.****k.com
    O1 - Hosts: 69.61.38.54 searchgals.com www.searchgals.com picsmonster.com www.picsmonster.com sublimepie.com www.sublimepie.com easygals.com www.easygals.com
    O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - C:\WINDOWS\SYSTEM\SWIN32.DLL
    O2 - BHO: (no name) - {9E992732-295F-4987-8BE3-16FAC1639198} - (no file)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Rscmpt] C:\WINDOWS\SYSTEM\Rscmpt.exe
    O4 - HKLM\..\Run: [Drest] C:\WINDOWS\SYSTEM\Drest.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\SYSTEM\automove.exe
    O4 - HKLM\..\Run: [NastySex] C:\WINDOWS\NastySex.exe -n
    O4 - HKLM\..\Run: [lqpsskt] C:\WINDOWS\SYSTEM\uzpqlq.exe
    O4 - HKLM\..\Run: [ALCHEM] C:\WINDOWS\ALCHEM.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - HKCU\..\Run: [\IEService.exe] C:\WINDOWS\ALLUSE~1\APPLIC~1\IESERV~1\IEService.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe
     
    Last edited: Jun 26, 2004
  2. dave38

    dave38 Spyware Expert

    Joined:
    Feb 26, 2004
    Posts:
    377
    To clean up your computer will take several stages. Please follow the steps gien below. If you don't underand how to do something please post back.

    To start cleaning up your computer, please download CWShredder
    This was written to deal with Coolweb and all its variants.

    Download and run the program. Let it fix everything it finds, and reboot.

    Do a Ctrl-Alt Delete, processes tab and end task on the Svcpack process.
    Now find that C:\WINDOWS\System32\svcpack.exe file, and delete it.

    Copy the quote below to notepad.
    Hit save as
    save as filename: clear.reg
    Under the filename set to all types, and save it to the desktop.

    Close all IE's, double click the clear.reg
    when asked to merge say yes.


    Have Hijack This fix all of the following that remain in your log by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http:///
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = 69.61.38.52
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http:///
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ultralinks.info/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ultralinks.info/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http:///
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http:///
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ultralinks.info/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http:///
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http:///
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ultralinks.info/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http:///
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http:///
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http:///
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.search-1.net/search.html
    R3 - Default URLSearchHook is missing
    F1 - win.ini: run=C:\WINDOWS\svcpack.exe
    O1 - Hosts: 69.61.38.52 ie.search.msn.com
    O1 - Hosts: 69.61.38.54 uh-oh.net www.uh-oh.net www.thumbnailseries.com thumbnailseries.com
    O1 - Hosts: 69.61.38.54 amandalist.com www.amandalist.com www.absolut-series.com absolut-series.com lloronas.com www.lloronas.com p0rno.org www.p0rno.org
    O1 - Hosts: 69.61.38.54 dianapost.com www.dianapost.com www.xnxx.com xnxx.com www.zadina.com zadina.com www.frogsex.com frogsex.com
    O1 - Hosts: 69.61.38.54 www.mature-post.com mature-post.com www.call-kelly.com call-kelly.com www.boneme.com boneme.com sexyfotky.cz www.sexyfotky.cz
    O1 - Hosts: 69.61.38.54 sexape.com www.sexape.com picwarehouse.com www.picwarehouse.com cowlist.com www.cowlist.com sublimedirectory.com sexocean.com www.sexocean.com rubias19.com www.rubias19.com
    O1 - Hosts: 69.61.38.54 www.sublimedirectory.com www.88by88.com 88by88.com elreyano.com www.elreyano.com purextc.com www.purextc.com madthumbs.com www.madthumbs.com
    O1 - Hosts: 69.61.38.54 muyzorras.com www.muyzorras.com *****.org www.*****.org freesmutseries.net www.freesmutseries.net porno-pics-free.com www.porno-pics-free.com catlist.com
    O1 - Hosts: 69.61.38.54 pichunter.com www.pichunter.com teeniefiles.com www.teeniefiles.com bunnyteens.com www.bunnyteens.com jpeg4free.com www.jpeg4free.com www.catlist.com
    O1 - Hosts: 69.61.38.54 amateurcurves.com www.amateurcurves.com hammervideo.com www.hammervideo.com rawpussy.com www.rawpussy.com teeniesxxx.com www.teeniesxxx.com porn-view.com www.porn-view.com
    O1 - Hosts: 69.61.38.54 pornstarfinder.net www.pornstarfinder.net jennysbookmarks.com www.jennysbookmarks.com babes4free.com www.babes4free.com 3pic.com www.3pic.com ****k.com www.****k.com
    O1 - Hosts: 69.61.38.54 searchgals.com www.searchgals.com picsmonster.com www.picsmonster.com sublimepie.com www.sublimepie.com easygals.com www.easygals.com
    O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - C:\WINDOWS\SYSTEM\SWIN32.DLL
    O2 - BHO: (no name) - {9E992732-295F-4987-8BE3-16FAC1639198} - (no file)

    O4 - HKLM\..\Run: [Rscmpt] C:\WINDOWS\SYSTEM\Rscmpt.exe
    O4 - HKLM\..\Run: [Drest] C:\WINDOWS\SYSTEM\Drest.exe
    O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\SYSTEM\automove.exe
    O4 - HKLM\..\Run: [NastySex] C:\WINDOWS\NastySex.exe -n
    O4 - HKLM\..\Run: [lqpsskt] C:\WINDOWS\SYSTEM\uzpqlq.exe
    O4 - HKLM\..\Run: [ALCHEM] C:\WINDOWS\ALCHEM.exe
    O4 - HKCU\..\Run: [\IEService.exe] C:\WINDOWS\ALLUSE~1\APPLIC~1\IESERV~1\IEService.exe

    O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe

    Reboot and delete

    files
    C:\WINDOWS\SYSTEM\Rscmpt.exe
    C:\WINDOWS\SYSTEM\Drest.exe
    C:\WINDOWS\SYSTEM\automove.exe
    C:\WINDOWS\NastySex.exe
    C:\WINDOWS\SYSTEM\uzpqlq.exe
    C:\WINDOWS\ALCHEM.exe

    folders
    C:\WINDOWS\ALLUSE~1\APPLIC~1\IESERV~1

    These may be hidden files. See HERE for how to show hidden files.

    Please post a followup Hijack this log, and say if your problems persist.
     
  3. Old Laughin Lady

    Old Laughin Lady Registered Member

    Joined:
    Jun 24, 2004
    Posts:
    3
    HighJackThis -Update

    Thanks for your time & effort Dave38. This is the first time I've logged on since I carried out your instructions....so far no pop ups & no yoogee :D

    Some things did not work -

    1. Ctrl-Alt Delete - Svcpack not there and I couldnt find C:\WINDOWS\System32\svcpack.exe file.

    2. REGEDIT4

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectPlugin]

    Icon appeared, when I tried to merge I received this message
    "cannot import. the specified file is not a registry script. you can import only registry files.

    3. I could not find some of the files or folders that you asked me to delete.
    I did find C:\WINDOWS\SYSTEM\automove but when I tried to delete it I received a message saying that it could not be deleted as it was being used by windows.

    See what you think about the latest HighJack This log -


    Logfile of HijackThis v1.97.7
    Scan saved at 18:52:05, on 26/06/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\WINDOWS\SYSTEM\CTFMON.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
    C:\MY DOCUMENTS\HIJACKTHIS.EXE

    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    I will check back and see if you think there are any more dodgy files, thanks again (still no pop ups)...OLL :D
     
  4. dave38

    dave38 Spyware Expert

    Joined:
    Feb 26, 2004
    Posts:
    377
    Re: HighJackThis -Update

    Looking good. Nice clean log.
    thesvcpack may have been removed by CWShredder. Long time since I saw that particular thing.
    The automove file is not showing up as a running process. If the file still exists, reboot into safe mode and delete it, just to be certain it can't do any more damage.

    Glad to help
     
  5. Old Laughin Lady

    Old Laughin Lady Registered Member

    Joined:
    Jun 24, 2004
    Posts:
    3
    Re: HighJackThis -Update

    Thanks for all your help. This was a second hand PC and I was not advised on how to clean it up. Have now installed McAfee Firewall and I hope all my problems are over.
    Keep up the good work, your doing a great job.
     
Thread Status:
Not open for further replies.