I have been highjacked

Discussion in 'adware, spyware & hijack cleaning' started by Irisreds, Apr 15, 2004.

Thread Status:
Not open for further replies.
  1. Irisreds

    Irisreds Registered Member

    Joined:
    Apr 15, 2004
    Posts:
    4
    I have the following list of highjacks - please advise if I should delete all or just some of them.
    Thanks
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Irisreds,

    I think you forgot to post the content of your log.
    If you need any pointers: http://home.planet.nl/~kleyn080/hijackthisexplanation.html

    Regards,

    Pieter
     
  3. Irisreds

    Irisreds Registered Member

    Joined:
    Apr 15, 2004
    Posts:
    4
  4. Irisreds

    Irisreds Registered Member

    Joined:
    Apr 15, 2004
    Posts:
    4
    The details don't seem
    to have been posted. Here they are again. Sorry about this.

    Regards Iris

    Logfile of HijackThis v1.97.7
    Scan saved at 12:41:51, on 15/04/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\MAIN16.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
    C:\PROGRAM FILES\AGFA\AGFACAM\AGFACLNK.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\INTEL\INTEL PSNCU\CPUNUMBER.EXE
    C:\PROGRAM FILES\REAL\REALJUKEBOX\TSYSTRAY.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\AIM95\AIM.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE

    O1 - Hosts: 1089288654 auto.search.msn.com
    O2 - BHO: (no name) - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\IEHELPER.DLL
    O3 - Toolbar: &Kangaroo - {663C7429-E454-11D3-B9AE-0000B4C32B4D} - C:\IDC\WEBKA.DLL
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_5.DLL
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [AgfaCamWatch] C:\Program Files\Agfa\AgfaCam\AgfaCLnk.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [GreasyPalmUpdate] C:\WINDOWS\GreasyPalmUpdate.exe
    O4 - HKLM\..\Run: [tapqiupr.exe] C:\WINDOWS\SYSTEM\tapqiupr.exe
    O4 - HKLM\..\Run: [Soundmx] \soundmx.exe
    O4 - HKLM\..\Run: [IDIS400O] C:\WINDOWS\SYSTEM\IDIS400O.exe
    O4 - HKLM\..\Run: [MSVersion] C:\WINDOWS\SYSTEM\INTERNETFEATURES.exe
    O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe
    O4 - HKLM\..\Run: [MSZTCE] C:\WINDOWS\SYSTEM\MSZTCE.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [Main16] c:\windows\system\main16.exe
    O4 - HKCU\..\Run: [IntelProcNumUtility] "C:\Intel\Intel PSNCU\CpuNumber.exe" /nosplash
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [RealJukeboxSystray] C:\PROGRAM FILES\REAL\REALJUKEBOX\TSYSTRAY.EXE
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [System Soap Pro] C:\PROGRAM FILES\SYSTEM SOAP PRO\SOAP.exe min
    O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGCOMLIB_1031.dll,InstantAccess
    O4 - HKCU\..\Run: [mslagent] C:\WINDOWS\navpmc\NAVPMC.EXE
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O9 - Extra button: Kangaroo (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {0FC6BF2B-E16A-11CF-AB2E-0080AD08A326} - http://www.liveupdate.com/controls/getcab5.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {A0F0D762-D1DE-43AF-B70E-D87864743EB3} (NSLiteUpdateCtrl Class) - http://217.145.76.16/nslite/nslite.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {F0230524-9D39-4E84-8452-41C592961EA7} (Installer Class) - http://www.4wav.com/Config.cab
    O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} (Matrix Class) - http://acceso.masminutos.com/aplicacion.cab
    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://66.230.143.209/loader/dploader.cab
    O16 - DPF: {91413D86-9F27-402C-B5E3-DEBDD122C339} - http://content.netvenda.com/sites/games-uk/uk/games4.cab
    O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binaries/IA/dtc32_EN.cab
    O16 - DPF: {CEFB7B49-9652-464F-8AFD-A577C0500F39} (EGP2ECOM Class) - http://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_1004_pack.cab
    O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://www.otxresearch.com/OTXMedia/OTXMedia.dll
    O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.manchesteronline.co.uk/webcams/AxisCamControl.cab
    O16 - DPF: {582788CA-7014-4904-A4EE-6FB6108AFE8E} - http://www.123mania.com/asrcware.cab
    O16 - DPF: {6814A9EF-FBF1-46B2-A46E-56B401079C26} - http://www.dialer-shop.com/cexe/b200ex8.exe
    O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/games-gb/gb/games4.cab
    O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.addictivetechnologies.net/DM0/cab/w3th3rb.cab
    O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B2F49FB} - http://64.237.46.147/uk/gvx143u2sm_wall.exe
    O19 - User stylesheet: C:\WINDOWS\Web\tips.ini
    O19 - User stylesheet: C:\WINDOWS\hh.htt (HKLM)
     
    Last edited: Apr 15, 2004
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Irisreds,

    Before you start, please unzip hijackthis to a separate folder. The program will make backups in the folder in the folder it's in.
    These easily get lost in a Temp folder.

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    O1 - Hosts: 1089288654 auto.search.msn.com
    O2 - BHO: (no name) - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\IEHELPER.DLL

    O4 - HKLM\..\Run: [tapqiupr.exe] C:\WINDOWS\SYSTEM\tapqiupr.exe
    O4 - HKLM\..\Run: [Soundmx] \soundmx.exe

    O4 - HKLM\..\Run: [MSVersion] C:\WINDOWS\SYSTEM\INTERNETFEATURES.exe
    O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe
    O4 - HKLM\..\Run: [MSZTCE] C:\WINDOWS\SYSTEM\MSZTCE.EXE

    O4 - HKLM\..\RunServices: [Main16] c:\windows\system\main16.exe

    O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGCOMLIB_1031.dll,InstantAccess
    O4 - HKCU\..\Run: [mslagent] C:\WINDOWS\navpmc\NAVPMC.EXE

    O16 - DPF: {A0F0D762-D1DE-43AF-B70E-D87864743EB3} (NSLiteUpdateCtrl Class) - http://217.145.76.16/nslite/nslite.cab

    O16 - DPF: {F0230524-9D39-4E84-8452-41C592961EA7} (Installer Class) - http://www.4wav.com/Config.cab
    O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} (Matrix Class) - http://acceso.masminutos.com/aplicacion.cab
    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://66.230.143.209/loader/dploader.cab
    O16 - DPF: {91413D86-9F27-402C-B5E3-DEBDD122C339} - http://content.netvenda.com/sites/games-uk/uk/games4.cab
    O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binaries/IA/dtc32_EN.cab
    O16 - DPF: {CEFB7B49-9652-464F-8AFD-A577C0500F39} (EGP2ECOM Class) - http://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_1004_pack.cab

    O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab

    O16 - DPF: {582788CA-7014-4904-A4EE-6FB6108AFE8E} - http://www.123mania.com/asrcware.cab
    O16 - DPF: {6814A9EF-FBF1-46B2-A46E-56B401079C26} - http://www.dialer-shop.com/cexe/b200ex8.exe
    O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/games-gb/gb/games4.cab
    O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.addictivetechnologies.net/DM0/cab/w3th3rb.cab
    O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B2F49FB} - http://64.237.46.147/uk/gvx143u2sm_wall.exe
    O19 - User stylesheet: C:\WINDOWS\Web\tips.ini
    O19 - User stylesheet: C:\WINDOWS\hh.htt (HKLM)[/QUOTE]

    Download and run: http://www.spywareinfoforum.com/~merijn/files/CWShredder.exe
    Use the Fix button and follow the instructions you will receive.

    Then reboot into safe mode
    and delete:
    C:\WINDOWS\mwsvm.exe

    Could you please mail me (preferably zipped up) copies of:
    C:\WINDOWS\SYSTEM\MSZTCE.EXE
    c:\windows\system\main16.exe
    C:\WINDOWS\navpmc\NAVPMC.EXE

    click this link for my address

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.