Please ck my 95 Windows

Discussion in 'adware, spyware & hijack cleaning' started by bandonisp, Feb 29, 2004.

Thread Status:
Not open for further replies.
  1. bandonisp

    bandonisp Registered Member

    Joined:
    Feb 24, 2004
    Posts:
    53
    Location:
    Bandon, Oregon
    I have done adware and SpyBot. Here is the log!
    Could I have a check up?

    Logfile of HijackThis v1.97.7
    Scan saved at 2:00:04 AM, on 2/29/04
    Platform: Windows 95 a (Win9x 4.00.1111)
    MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAM FILES\MCAFEE\VIRUSSCAN\VSHWIN32.EXE
    C:\PROGRAM FILES\NORTON PERSONAL FIREWALL\NISSERV.EXE
    C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
    C:\PROGRAM FILES\ENCOMPASS\MONITOR.EXE
    C:\PROGRAM FILES\NORTON PERSONAL FIREWALL\IAMAPP.EXE
    C:\PROGRAM FILES\NORTON PERSONAL FIREWALL\NISUM.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\ATICWD32.EXE
    C:\WINDOWS\RSRCMTR.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\tapiexe.exe
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
    C:\WINDOWS\TEMP\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gct21.net/~jeris/news
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.lycos.com/msie4.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Bandon Queen's Browser
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL
    O2 - BHO: (no name) - {0549E6CB-9985-42F6-8FD6-4EC017E6AAE1} - C:\PROGRAM FILES\SURFAPPS.COM\POPTHIS! FREE VERSION\POPTHIS.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Vshwin32EXE] C:\Program Files\McAfee\VirusScan\VSHWIN32.EXE
    O4 - HKLM\..\Run: [Encompass Monitor] C:\Program Files\Encompass\MONITOR.EXE
    O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
    O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\Program Files\McAfee\VirusScan\VSHWIN32.EXE
    O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
    O4 - HKLM\..\RunServices: [EncMonitor] C:\Program Files\Encompass\Monitor.exe
    O4 - Startup: Resource Monitor.lnk = C:\WINDOWS\RSRCMTR.EXE
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: PopThis! Options... (HKLM)
    O13 - WWW. Prefix: http://
    O16 - DPF: Dialpad US Java Applet - http://www.dialpad.com/applet/src/vscp.cab
    O16 - DPF: Go2CallClient - http://globalcomm.go2call.com/cashDialer/CallClient.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi bandonisp,

    Your log looks pretty good.
    Have HijackThis:
    O16 - DPF: Go2CallClient - http://globalcomm.go2call.com/cashDialer/CallClient.cab
    and you should be fine.

    Regards,

    Pieter
     
  3. bandonisp

    bandonisp Registered Member

    Joined:
    Feb 24, 2004
    Posts:
    53
    Location:
    Bandon, Oregon
    Thanks Pieter,
    I noticed that it is a link: http://globalcomm.go2call.com/cashDialer/CallClient.cab
    I click on this! It this a NO, No. It showed a page with a lot of nothing. Could you add to what I saw? Thanks
     

    Attached Files:

  4. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi abandonisp.

    I can't help with interpreting what the full link that included the 'cab' file showed you, but the link to globalcomm is listed in IE-Spyad 's Restricted Sites List. You might want to consider installing IE-Spyad for your Internet Explorer, and also look at SpywareBlaster which will help protect you from malicious ActiveX drive-by downloads being installed from unfriendly websites (The 016's you see in your HijackThis log represent the ActiveX...not all are bad of course, some are needed, but some can be very nasty).

    Hope that helps a bit,

    snap
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Thanks snap,

    I had it fixed because AdShield wouldnot let me go there.

    bandonisp,

    I would love to do the research, if I had the time or if it would learn us something new. But obviously several people beat me to it, and I trust their judgement. :)

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.