zzb

Discussion in 'adware, spyware & hijack cleaning' started by zzbvictim, Mar 19, 2004.

Thread Status:
Not open for further replies.
  1. zzbvictim

    zzbvictim Guest

    I rad HijackThis but how do you post the results?
     
  2. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,449
    Location:
    North Carolina, USA
    Hi zzbvictim,

    Welcome to Wilders!!!

    Hijackthis icon & double click it.
    The Hijackthis window will open, click the Scan button.
    In a little while the scan button will change to Save Log and Fix Checked. DO NOT FIX ANYTHING YET. Click the Save Log button.
    A Save Log window will open up, it is a good idea to save your log to the same folder as Hijackthis, so double click on your Hijackthis folder and then click Save.

    HTH....

    Regards,
    Kent
     
  3. zzbvictim

    zzbvictim Guest

    thank you. here is my log. I would appreciate it if someone could tell me what to do.

    Logfile of HijackThis v1.97.7
    Scan saved at 1:46:45 PM, on 3/19/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\SYSDOC32.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
    C:\WINDOWS\TEMP\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: (no name) - {DEDE69C3-E0CE-FFB0-EB46-FCD3FCFB9EEC} - C:\windows\system\cwfgycuo.dll
    O2 - BHO: (no name) - {3FB06D2B-CF22-49FD-F3E2-56861BFFB540} - C:\windows\system\wuuvpsmw.dll
    O2 - BHO: (no name) - {73CAE36B-8395-F2BD-7023-F9F0EC967A02} - C:\windows\system\jfotgmkn.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
    O4 - HKLM\..\Run: [Norton Auto-Protect] "C:\PROGRA~1\NORTON~3\NORTON~2\NAVAPW32.EXE /LOADQUIET"
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~3\NORTON~2\DEFALERT.EXE
    O4 - HKLM\..\Run: [Norton eMail Protect] C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\POProxy.exe
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKCU\..\Run: [FreeRAM XP] "C:\PROGRAM FILES\FRAMXPPRO\FREERAM XP PRO 1.40.EXE" -win
    O4 - Startup: Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
    O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
    O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmsearch.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate into English - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmtrans.html
    O9 - Extra button: AIM (HKLM)
    O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPSWF32.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37862.3033333333
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
     
  4. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,449
    Location:
    North Carolina, USA
    Hi zzbvictim,

    Welcome to Wilders.

    Before you start, please unzip or move HijackThis to a separate folder. The program will make backups in the folder it's in. These easily get lost in a temporary folder.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: (no name) - {DEDE69C3-E0CE-FFB0-EB46-FCD3FCFB9EEC} - C:\windows\system\cwfgycuo.dll
    O2 - BHO: (no name) - {3FB06D2B-CF22-49FD-F3E2-56861BFFB540} - C:\windows\system\wuuvpsmw.dll
    O2 - BHO: (no name) - {73CAE36B-8395-F2BD-7023-F9F0EC967A02} - C:\windows\system\jfotgmkn.dll

    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab

    Then reboot in Safe Mode and delete the following:

    C:\windows\system\cwfgycuo.dll
    C:\windows\system\wuuvpsmw.dll
    C:\windows\system\jfotgmkn.dll

    Reboot and then post a fresh HijackThis log.

    Regards,
    Kent
     
  5. zzbvictim

    zzbvictim Guest

    how do you reboot in safe mode?
     
  6. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,449
    Location:
    North Carolina, USA
    zzbvictim,

    To reboot into safe mode.

    HTH....

    Regards,
    Kent
     
  7. zzbvictim

    zzbvictim Guest

    new log:

    Logfile of HijackThis v1.97.7
    Scan saved at 3:44:34 PM, on 3/19/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\POPROXY.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
    C:\PROGRAM FILES\FRAMXPPRO\FREERAM XP PRO 1.40.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\SYSDOC32.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\1ST FOLDER EZRA\DOWNLOADS\HIJACKTHIS1977\HIJACKTHIS.EXE

    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
    O4 - HKLM\..\Run: [Norton Auto-Protect] "C:\PROGRA~1\NORTON~3\NORTON~2\NAVAPW32.EXE /LOADQUIET"
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~3\NORTON~2\DEFALERT.EXE
    O4 - HKLM\..\Run: [Norton eMail Protect] C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\POProxy.exe
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKCU\..\Run: [FreeRAM XP] "C:\PROGRAM FILES\FRAMXPPRO\FREERAM XP PRO 1.40.EXE" -win
    O4 - Startup: Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
    O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
    O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmsearch.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate into English - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmtrans.html
    O9 - Extra button: AIM (HKLM)
    O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPSWF32.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37862.3033333333
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
     
  8. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,449
    Location:
    North Carolina, USA
    zzbvictim,

    Your problems should be gone now and everything back to normal...

    Regards,
    Kent
     
  9. zzbvictim

    zzbvictim Guest

    Thanks a lot! :) You were patient and told me what to do quickly. I have been trying for 3 weeks to solve this problem, and you fixed it! I will recommend your site to anyone who i knows has a problem you might be able to solve. Thanks again; you saved me a few hundred bucks (or more) because my cdrom doesn't work and I cannot reinstall windows (i am working on a very old laptop and cannot get a replacement, lol). :) :)
     
  10. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,449
    Location:
    North Carolina, USA
    Hi zzbvictim,

    Thanks for the compliments!!

    Wilders is a great site where all the members work together as a team.

    I am just glad to have been able to help you.....

    Regards,
    Kent
     
Thread Status:
Not open for further replies.