Hijackthis Log

Discussion in 'adware, spyware & hijack cleaning' started by SilkyTulips, Feb 6, 2004.

Thread Status:
Not open for further replies.
  1. SilkyTulips

    SilkyTulips Registered Member

    Joined:
    Feb 3, 2004
    Posts:
    2
    Location:
    Oklahoma
    Hi! I just wanted my log looked over by professionals. ;) I've used Ad-aware and Spybot Search & Destroy. Thanks so much for everyone who puts their time into helping us in need. :-* ~Silky~

    Logfile of HijackThis v1.97.7
    Scan saved at 4:58:23 PM, on 2/6/04
    Platform: Windows 98 Gold (Win9x 4.10.199:cool:
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAM FILES\ENCOMPASS\ENCMONTR.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\FEELITDM.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\ACS495\MIXGHOST.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SYSTEM\LVCOMS.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\POPROXY.EXE
    C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\TYPE32.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
    C:\PROGRAM FILES\SPYBLOCKER SOFTWARE\SPYBLOCKER.EXE
    C:\PROGRAM FILES\SPYBLOCKER SOFTWARE\SPYWARESTOPPER\SPYWARESTOPPER.EXE
    C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
    C:\TOOLS_95\IOWATCH.EXE
    C:\TOOLS_95\IMGICON.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcy/defaults/sb/*http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcy/defaults/sp/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcy/defaults/sb/*http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [Disknag] C:\DELL\DISKNAG.EXE
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [USSShReg] C:\PROGRA~1\ULEADS~1\ULEADP~1.2\SSAVER\USSSHREG.EXE /r
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [Mixghost] C:\ACS495\MixGhost.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [LVComs] c:\windows\SYSTEM\LVComS.exe
    O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
    O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton SystemWorks\Norton AntiVirus\POPROXY.EXE
    O4 - HKLM\..\Run: [WORKFLO] E:\INSTALL\WORKFLOW.EXE
    O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\NORTON~1\DEFALERT.EXE
    O4 - HKLM\..\Run: [IntelliType] "c:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
    O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
    O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKLM\..\Run: [Currency] C:\WINDOWS\SYSTEM\WINDOWSSED.exe
    O4 - HKLM\..\Run: [SpyBlocker] C:\PROGRAM FILES\SPYBLOCKER SOFTWARE\spyblocker.exe
    O4 - HKLM\..\Run: [SpywareStopper] C:\PROGRAM FILES\SPYBLOCKER SOFTWARE\SPYWARESTOPPER\spywarestopper.exe
    O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
    O4 - HKLM\..\RunServices: [Encompass_ENCMONTR] C:\Program Files\Encompass\ENCMONTR.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [FEELitDeviceManager] C:\WINDOWS\SYSTEM\FEELitDM.exe
    O4 - HKLM\..\RunServices: [LoadBlackD] C:\Program Files\Network ICE\BlackICE\blackd.exe
    O4 - HKLM\..\RunServices: [MiniLog] C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE -service
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKLM\..\RunServices: [Synchronization Agent] C:\WINDOWS\DESKTOP\D2DUPE.EXE
    O4 - HKCU\..\Run: [SurfSecret] C:\Program Files\SurfSecTRIAL\SS2-TRIAL.exe /min
    O4 - Startup: Iomega Startup Options.lnk = C:\Tools_95\IMGSTART.EXE
    O4 - Startup: Iomega Watch.lnk = C:\Tools_95\IOWATCH.EXE
    O4 - Startup: Zip Disk Icons.lnk = C:\Tools_95\IMGICON.EXE
    O4 - Startup: Office Startup.lnk = C:\Program Files\Online Services\MSN\MSNMIG.EXE
    O4 - Startup: PowerReg Scheduler.exe
    O4 - User Startup: Iomega Startup Options.lnk = C:\Tools_95\IMGSTART.EXE
    O4 - User Startup: Iomega Watch.lnk = C:\Tools_95\IOWATCH.EXE
    O4 - User Startup: Zip Disk Icons.lnk = C:\Tools_95\IMGICON.EXE
    O4 - User Startup: Office Startup.lnk = C:\Program Files\Online Services\MSN\MSNMIG.EXE
    O4 - User Startup: PowerReg Scheduler.exe
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Wallpaper (HKLM)
    O9 - Extra 'Tools' menuitem: &Toolbar Wallpaper (HKLM)
    O9 - Extra button: Yahoo! Login (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
    O12 - Plugin for .ckn: C:\PROGRA~1\INTERN~1\PLUGINS\NPCKNET.DLL
    O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
    O12 - Plugin for .hlq: C:\PROGRA~1\INTERN~1\PLUGINS\nphcd32.dll
    O16 - DPF: {C0B4D721-15FA-11D2-B838-00C04FA3426D} (MSNChatHistoryCtl) - http://fdl.msn.com/public/chat/ChatCtls.Cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://carpoint.msn.com/Components/SurVid/MSSurVid.cab
    O16 - DPF: {2FF18E10-DE11-11D1-8161-00A0C90DD90C} (MSNBC News Menu Control 3.0) - http://www.msnbc.com/download/nm0713.cab
    O16 - DPF: {02466323-75ED-11CF-A267-0020AF2546EA} (VivoActive Control) - http://player.vivo.com/ie/vvweb.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {BD1F006E-174F-11D2-95C0-00C04F9A8CFA} (SurveyCtl Class) - http://activex.microsoft.com/controls/mtswizards/SurveyControl.ocx
    O16 - DPF: {8FAF299E-6EAB-11D2-AB2B-00C04FB16291} (SiteBrowseTreeCtrl Class) - http://activex.microsoft.com/controls/mtswizards/sitebrowsetree.cab
    O16 - DPF: {DC63DFD0-F822-11D2-9EDE-00105AA46A17} (Onebox Web Recording ActiveX Object) - http://onebox.myfamily.com/talknow/onebox.cab
    O16 - DPF: {22D6F312-B0F6-11D0-94AB-0080C74C7E95} (Windows Media Player) - http://activex.microsoft.com/activex/controls/mplayer/en/nsmp2inf.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.norton.com/sa/1033/common/bin/cabsa.cab
    O16 - DPF: {2FF18E20-DE11-11D1-8161-00A0C90DD90C} (MSNBC News Menu Control 3.01) - http://www.msnbc.com/download/nr1228.cab
    O16 - DPF: {1C854D5E-66D9-11D3-81DD-00A0C9B62983} (TestX Class) - http://www.expressit.com/Plugin/3DGreetings/PlayerX.CAB
    O16 - DPF: {451FCDEE-DCED-11D3-87DD-0090278F1040} (Yahoo! Voicemail Engine) - http://phone.yahoo.com/plugin/yumscom.cab
    O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://us.i1.yimg.com/us.yimg.com/i/chat/webcam/v110/yvwrctl.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/dell/site/PCPitStop.CAB
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://photos.msn.com/r/neutral/controls/MsnPUpld.cab?5,0,1730,0
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37892.5619791667
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {21F16767-8DA7-4113-BEB0-F161B313407F} (XMirage Control) - http://www.myfamily.com/plugins/ue/Install_UE.exe
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://wamnetgov.webex.com/client/latest/webex/ieatgpc.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O18 - Protocol: pcn - {D540F040-F3D9-11D0-95BE-00C04FD93CA5} - C:\PROGRAM FILES\ENCOMPASS\V1MK.DLL
     
  2. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi SilkyTulips :)

    You can select and fix this one orphaned entry

    O2 - BHO: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

    and if resources/performance is a problem for you, you might try selecting and fixing the following as well

    O4 - HKLM\..\Run: [USSShReg] C:\PROGRA~1\ULEADS~1\ULEADP~1.2\SSAVER\USSSHREG.EXE /r
    O4 - HKLM\..\Run: [Mixghost] C:\ACS495\MixGhost.exe
    O4 - HKLM\..\Run: [LVComs] c:\windows\SYSTEM\LVComS.exe
    O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

    You should check for confirmation from Pieter, Unzy or Tony to ensure there is nothing else ;)

    [ late edit - Just realized, I forgot your

    "Welcome to Wilders!" :) ]
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,429
    Location:
    Netherlands
    In the unnecessary department you can add these:

    O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A

    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

    O4 - Startup: PowerReg Scheduler.exe

    O4 - User Startup: PowerReg Scheduler.exe

    And I am curious about this one:

    O4 - HKLM\..\Run: [Currency] C:\WINDOWS\SYSTEM\WINDOWSSED.exe
    Do you know what it is.

    Regards,

    Pieter
     
  4. SilkyTulips

    SilkyTulips Registered Member

    Joined:
    Feb 3, 2004
    Posts:
    2
    Location:
    Oklahoma
    Dan, Pieter... Thank you so much for the info.

    Also, I have no idea what this is:

    O4 - HKLM\..\Run: [Currency] C:\WINDOWS\SYSTEM\WINDOWSSED.exe

    Thanks again! :-*
    ~Silky~
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,429
    Location:
    Netherlands
    Hi SilkyTulips,

    Could you send that file (C:\WINDOWS\SYSTEM\WINDOWSSED.exe) to pieter @ wilderssecurity.org (without the spaces)

    I'll have a look at it and let you know.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.