Please Help Fix My Hijack This Log

Discussion in 'adware, spyware & hijack cleaning' started by sandanistarebel, Jun 10, 2004.

Thread Status:
Not open for further replies.
  1. sandanistarebel

    sandanistarebel Registered Member

    Joined:
    May 3, 2004
    Posts:
    11
    Hi,
    It seems i've been attacked/hijacked by some nasty program.
    msopt.dll sr.dll ATL.DLL jao.dll bridge.dll have all been created in my C:\\WINDOWS\SYSTEM folder.
    rstrmap.dat rstrlog.dat rstrs2l.da2 sfpdb.sfp have been created in a folder called C:\\WINDOWS\SYSTEM\sfp
    alt.dll has been created in a folder called C:\\WINDOWS\SYSTEM\sfp\archive
    I think those files might have something to do with the problem.
    I'm not sure if the following files do...
    00205982.JNL and h2r9171.TMP created in C:\\WINDOWS\TEMP
    just going by the time all these files were created and the time I started experiencing problems (slow internet, programs running slowly, computer crashes)

    I've run my antivirus software + I've run adaware + spybot S&D + deleted a few files + entries, but I still have the problem.

    My hijack this log is posted below:

    Logfile of HijackThis v1.97.7
    Scan saved at 19:45:35, on 10/06/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\PROGRAM FILES\TREND PC-CILLIN 2000\PCCIOMON.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\TREND PC-CILLIN 2000\POP3TRAP.EXE
    C:\PROGRAM FILES\TREND PC-CILLIN 2000\WEBTRAP.EXE
    C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
    C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\CONFSVR.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\GBTASK.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\MY DOCUMENTS\JOHN'S FOLDER\HIJACKTHIS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/
    O2 - BHO: (no name) - {B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D} - C:\WINDOWS\MSOPT.DLL
    O2 - BHO: sr - {FC2593E3-3E5A-410F-AF3D-82613CCE58E5} - C:\WINDOWS\SR.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [PCCIOMON.EXE] "C:\Program Files\Trend PC-cillin 2000\PCCIOMON.EXE"
    O4 - HKLM\..\Run: [pop3trap.exe] "C:\Program Files\Trend PC-cillin 2000\pop3trap.exe"
    O4 - HKLM\..\Run: [WebTrap.exe] "C:\Program Files\Trend PC-cillin 2000\WebTrap.exe"
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [Gearbox] "C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe"
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [SiSAudio] C:\WINDOWS\SYSTEM\MP_S3.exe
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [PCCIOMON.EXE] "C:\Program Files\Trend PC-cillin 2000\PCCIOMON.EXE"
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKLM\..\RunOnce: [Ad-aware] "C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-AWARE.EXE" "+b1"
    O4 - Startup: MICROSOFT OFFICE.LNK = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .MTD: C:\PROGRA~1\INTERN~1\Plugins\npmusicn.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by10fd.bay10.hotmail.msn.com/activex/HMAtchmt.ocx
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37971.4581018519
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/virusinfo/webscan.cab
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab

    Here is the startup list that hijack this generated:

    StartupList report, 10/06/2004, 19:57:42
    StartupList version: 1.52
    Started from : C:\MY DOCUMENTS\JOHN'S FOLDER\HIJACKTHIS\HIJACKTHIS.EXE
    Detected: Windows ME (Win9x 4.90.3000)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\PROGRAM FILES\TREND PC-CILLIN 2000\PCCIOMON.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\TREND PC-CILLIN 2000\POP3TRAP.EXE
    C:\PROGRAM FILES\TREND PC-CILLIN 2000\WEBTRAP.EXE
    C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
    C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\CONFSVR.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\GBTASK.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\NOTEPAD.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\MY DOCUMENTS\JOHN'S FOLDER\HIJACKTHIS\HIJACKTHIS.EXE

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\WINDOWS\Start Menu\Programs\StartUp]
    MICROSOFT OFFICE.LNK = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
    TaskMonitor = C:\WINDOWS\taskmon.exe
    PCHealth = C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    SystemTray = SysTray.Exe
    LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    PCCIOMON.EXE = "C:\Program Files\Trend PC-cillin 2000\PCCIOMON.EXE"
    pop3trap.exe = "C:\Program Files\Trend PC-cillin 2000\pop3trap.exe"
    WebTrap.exe = "C:\Program Files\Trend PC-cillin 2000\WebTrap.exe"
    RealTray = C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    Gearbox = "C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe"
    LoadQM = loadqm.exe
    WinampAgent = "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
    NvCplDaemon = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    nwiz = nwiz.exe /install
    SiSAudio = C:\WINDOWS\SYSTEM\MP_S3.exe
    Cmaudio = RunDll32 cmicnfg.cpl,CMICtrlWnd
    QuickTime Task = "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    mswspl =

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

    Ad-aware = "C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-AWARE.EXE" "+b1"

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    SchedulingAgent = mstask.exe
    SSDPSRV = C:\WINDOWS\SYSTEM\ssdpsrv.exe
    *StateMgr = C:\WINDOWS\System\Restore\StateMgr.exe
    PCCIOMON.EXE = "C:\Program Files\Trend PC-cillin 2000\PCCIOMON.EXE"

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    NVIEW = rundll32.exe nview.dll,nViewLoadHook

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=Explorer.exe
    SCRNSAVE.EXE=
    drivers=mmsystem.dll power.drv

    --------------------------------------------------

    C:\WINDOWS\WININIT.INI listing:
    (Created 10/6/2004, 19:37:56)

    [Rename]
    NUL=c:\windows\system\a.exe
    NUL=c:\windows\system\bridge.dll
    NUL=c:\windows\cookies\default@www.talkadvertising[1].txt

    --------------------------------------------------

    C:\WINDOWS\WININIT.BAK listing:
    (Created 10/6/2004, 11:38:16)

    [rename]
    C:\WINDOWS\SYSTEM\atl.dll=C:\_RESTORE\SFP\A0000001.CPY

    --------------------------------------------------

    C:\AUTOEXEC.BAT listing:

    SET windir=C:\WINDOWS
    SET winbootdir=C:\WINDOWS
    SET COMSPEC=C:\WINDOWS\COMMAND.COM
    SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
    SET PROMPT=$p$g
    SET TEMP=C:\WINDOWS\TEMP
    SET TMP=C:\WINDOWS\TEMP

    --------------------------------------------------

    C:\WINDOWS\WINSTART.BAT listing:

    C:\WINDOWS\tmpcpyis.bat

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - C:\WINDOWS\MSOPT.DLL - {B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D}
    sr - C:\WINDOWS\SR.DLL - {FC2593E3-3E5A-410F-AF3D-82613CCE58E5}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Tune-up Application Start.job
    PCHealth Scheduler for Data Collection.job
    Maintenance-ScanDisk.job
    Maintenance-Defragment programs.job
    Maintenance-Disk cleanup.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    [Hotmail Attachments Control]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\HMATCHMT.OCX
    CODEBASE = http://by10fd.bay10.hotmail.msn.com/activex/HMAtchmt.ocx

    [MessengerStatsClient Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MESSENGERSTATSCLIENT.DLL
    CODEBASE = http://messenger.zone.msn.com/binary/MessengerStatsClient.cab

    [QuickTime Object]
    InProcServer32 = C:\WINDOWS\SYSTEM\QTPLUGIN.OCX
    CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

    [Shockwave ActiveX Control]
    InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab

    [EPSImageControl Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\EPSCONTROL.DLL
    CODEBASE = http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab

    [Update Class]
    InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37971.4581018519

    [WScanCtl Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\WEBSCAN.DLL
    CODEBASE = http://www3.ca.com/virusinfo/webscan.cab

    [EPUImageControl Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\EPUWALCONTROL.DLL
    CODEBASE = http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL
    UPnPMonitor: C:\WINDOWS\SYSTEM\UPNPUI.DLL
    AUHook: C:\WINDOWS\SYSTEM\AUHOOK.DLL

    --------------------------------------------------
    End of report, 7,582 bytes
    Report generated in 0.092 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only

    PLEASE HELP ME!
    Thanks a lot,
    John
    :'(
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi sandanistarebel,

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    O2 - BHO: (no name) - {B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D} - C:\WINDOWS\MSOPT.DLL
    O2 - BHO: sr - {FC2593E3-3E5A-410F-AF3D-82613CCE58E5} - C:\WINDOWS\SR.DLL

    Then reboot into safe mode and use the DiskCleanup Tool to empty all your Temp folders.

    When you are done, run HijackThis again and post the new log, so we can see if it all worked out as planned.

    Regards,

    Pieter
     
  3. sandanistarebel

    sandanistarebel Registered Member

    Joined:
    May 3, 2004
    Posts:
    11
    Hello,
    My log looks clean now, i'm a bit worried about the following part of my startup list though. can you please explain it to me.

    --------------------------------------------------

    C:\WINDOWS\WININIT.BAK listing:
    (Created 10/6/2004, 19:37:56)

    [Rename]
    NUL=c:\windows\system\a.exe
    NUL=c:\windows\system\bridge.dll
    NUL=c:\windows\cookies\default@www.talkadvertising[1].txt

    --------------------------------------------------

    Thanks for all your help so far. Here's my hijackthis log:

    Logfile of HijackThis v1.97.7
    Scan saved at 21:31:37, on 10/06/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\PROGRAM FILES\TREND PC-CILLIN 2000\PCCIOMON.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\TREND PC-CILLIN 2000\POP3TRAP.EXE
    C:\PROGRAM FILES\TREND PC-CILLIN 2000\WEBTRAP.EXE
    C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
    C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\CONFSVR.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\GBTASK.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\MY DOCUMENTS\JOHN'S FOLDER\HIJACKTHIS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [PCCIOMON.EXE] "C:\Program Files\Trend PC-cillin 2000\PCCIOMON.EXE"
    O4 - HKLM\..\Run: [pop3trap.exe] "C:\Program Files\Trend PC-cillin 2000\pop3trap.exe"
    O4 - HKLM\..\Run: [WebTrap.exe] "C:\Program Files\Trend PC-cillin 2000\WebTrap.exe"
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [Gearbox] "C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe"
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [SiSAudio] C:\WINDOWS\SYSTEM\MP_S3.exe
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [PCCIOMON.EXE] "C:\Program Files\Trend PC-cillin 2000\PCCIOMON.EXE"
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - Startup: MICROSOFT OFFICE.LNK = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .MTD: C:\PROGRA~1\INTERN~1\Plugins\npmusicn.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by10fd.bay10.hotmail.msn.com/activex/HMAtchmt.ocx
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37971.4581018519
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/virusinfo/webscan.cab
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab

    And here's my startup list:

    StartupList report, 10/06/2004, 21:31:46
    StartupList version: 1.52
    Started from : C:\MY DOCUMENTS\JOHN'S FOLDER\HIJACKTHIS\HIJACKTHIS.EXE
    Detected: Windows ME (Win9x 4.90.3000)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\PROGRAM FILES\TREND PC-CILLIN 2000\PCCIOMON.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\TREND PC-CILLIN 2000\POP3TRAP.EXE
    C:\PROGRAM FILES\TREND PC-CILLIN 2000\WEBTRAP.EXE
    C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
    C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\CONFSVR.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\GBTASK.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\MY DOCUMENTS\JOHN'S FOLDER\HIJACKTHIS\HIJACKTHIS.EXE
    C:\WINDOWS\NOTEPAD.EXE

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\WINDOWS\Start Menu\Programs\StartUp]
    MICROSOFT OFFICE.LNK = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
    TaskMonitor = C:\WINDOWS\taskmon.exe
    PCHealth = C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    SystemTray = SysTray.Exe
    LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    PCCIOMON.EXE = "C:\Program Files\Trend PC-cillin 2000\PCCIOMON.EXE"
    pop3trap.exe = "C:\Program Files\Trend PC-cillin 2000\pop3trap.exe"
    WebTrap.exe = "C:\Program Files\Trend PC-cillin 2000\WebTrap.exe"
    RealTray = C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    Gearbox = "C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe"
    LoadQM = loadqm.exe
    WinampAgent = "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
    NvCplDaemon = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    nwiz = nwiz.exe /install
    SiSAudio = C:\WINDOWS\SYSTEM\MP_S3.exe
    Cmaudio = RunDll32 cmicnfg.cpl,CMICtrlWnd
    QuickTime Task = "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    mswspl =

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    SchedulingAgent = mstask.exe
    SSDPSRV = C:\WINDOWS\SYSTEM\ssdpsrv.exe
    *StateMgr = C:\WINDOWS\System\Restore\StateMgr.exe
    PCCIOMON.EXE = "C:\Program Files\Trend PC-cillin 2000\PCCIOMON.EXE"

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    NVIEW = rundll32.exe nview.dll,nViewLoadHook

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=Explorer.exe
    SCRNSAVE.EXE=
    drivers=mmsystem.dll power.drv

    --------------------------------------------------

    C:\WINDOWS\WININIT.BAK listing:
    (Created 10/6/2004, 19:37:56)

    [Rename]
    NUL=c:\windows\system\a.exe
    NUL=c:\windows\system\bridge.dll
    NUL=c:\windows\cookies\default@www.talkadvertising[1].txt

    --------------------------------------------------

    C:\AUTOEXEC.BAT listing:

    SET windir=C:\WINDOWS
    SET winbootdir=C:\WINDOWS
    SET COMSPEC=C:\WINDOWS\COMMAND.COM
    SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
    SET PROMPT=$p$g
    SET TEMP=C:\WINDOWS\TEMP
    SET TMP=C:\WINDOWS\TEMP

    --------------------------------------------------

    C:\WINDOWS\WINSTART.BAT listing:

    C:\WINDOWS\tmpcpyis.bat

    --------------------------------------------------


    Enumerating Task Scheduler jobs:

    Tune-up Application Start.job
    PCHealth Scheduler for Data Collection.job
    Maintenance-ScanDisk.job
    Maintenance-Defragment programs.job
    Maintenance-Disk cleanup.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    [Hotmail Attachments Control]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\HMATCHMT.OCX
    CODEBASE = http://by10fd.bay10.hotmail.msn.com/activex/HMAtchmt.ocx

    [MessengerStatsClient Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MESSENGERSTATSCLIENT.DLL
    CODEBASE = http://messenger.zone.msn.com/binary/MessengerStatsClient.cab

    [QuickTime Object]
    InProcServer32 = C:\WINDOWS\SYSTEM\QTPLUGIN.OCX
    CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

    [Shockwave ActiveX Control]
    InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab

    [EPSImageControl Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\EPSCONTROL.DLL
    CODEBASE = http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab

    [Update Class]
    InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37971.4581018519

    [WScanCtl Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\WEBSCAN.DLL
    CODEBASE = http://www3.ca.com/virusinfo/webscan.cab

    [EPUImageControl Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\EPUWALCONTROL.DLL
    CODEBASE = http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL
    UPnPMonitor: C:\WINDOWS\SYSTEM\UPNPUI.DLL
    AUHook: C:\WINDOWS\SYSTEM\AUHOOK.DLL

    --------------------------------------------------
    End of report, 6,869 bytes
    Report generated in 0.081 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only

    Thanks again,
    John
     
  4. sandanistarebel

    sandanistarebel Registered Member

    Joined:
    May 3, 2004
    Posts:
    11
    Also, disk cleanup didn't delete the files in my C:\WINDOWS\TEMP folder,
    should i delete those as well??
    Thanks for all your help so far
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    The [rename] section can have multiple lines with one file per line. To delete a file, specify NUL as the DestinationFileName. Here are some entry examples:

    [rename]
    NUL=C:\TEMP.TXT
    C:\NEW_DIR\EXISTING.TXT=C:\EXISTING.TXT
    C:\NEW_DIR\NEWNAME.TXT=C:\OLDNAME.TXT
    C:\EXISTING.TXT=C:\TEMP\NEWFILE.TXT

    Source

    Your HijackThis log is clean by the way. :)

    Regards,

    Pieter
     
  6. sandanistarebel

    sandanistarebel Registered Member

    Joined:
    May 3, 2004
    Posts:
    11
    Thankyou so much.
    Once again, Wilder's has come through for me.
    Your response is always quick and accurate.

    just to clarify, the following

    --------------------------------------------------

    C:\WINDOWS\WININIT.BAK listing:
    (Created 10/6/2004, 19:37:56)

    [Rename]
    NUL=c:\windows\system\a.exe
    NUL=c:\windows\system\bridge.dll
    NUL=c:\windows\cookies\default@www.talkadvertising[1].txt

    --------------------------------------------------

    Is nothing to be worried about?

    Thanks again,
    :D
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    No. It indicates that the three files behind the "=" sign will be deleted at reboot.

    Regards,

    Pieter
     
  8. sandanistarebel

    sandanistarebel Registered Member

    Joined:
    May 3, 2004
    Posts:
    11
    Excellent, Thanks again, You Are the best!!
    One more problem though...

    Before all this happened it seems there were 2/3 trojans on my pc.
    TROJ_BRISS.A and TROJ_BRISS.H in my _RESTORE\TEMP folder. I got rid of these by disabling system restore.

    and there was also TROJ_REVOP.F which was in my C:\\WINDOWS\TEMP and my temporary internet files folder. My virus checker seemed to have got rid of those.

    I mentioned some dll's that I wasn't sure about, and following your advice in this thread, I seemed to get rid of most of them. However, I ran a virus check today + jao.dll came up as TROJ_BRISS.A and my virus checker seemed to get rid of it. It also found some TROJ_BRISS.H in my _RESTORE\TEMP folder again. So I had to deactivate system restore. There's still one dll from the list I mentioned, ATL.DLL. Should I delete this? I'm just afriad that this thing is going to come back again if I reactivate system restore.
    I really don't know anything about this stuff, so I might just be clean now??
    Thanks for all your help,
    Wilder's always gets things sorted for me!
    :D
     
Thread Status:
Not open for further replies.