1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Browser Hijacks, logfile

Discussion in 'Security and Privacy' started by albatros, 2004/04/29.

Thread Status:
Not open for further replies.
  1. 2004/04/29
    albatros

    albatros Inactive Thread Starter

    Joined:
    2004/04/17
    Messages:
    58
    Likes Received:
    0
    I find many garbage links installed in my favorites folder by some parasite adware, also browser hijacked, i run AdAware to scan, clean all; then scan with HijackThis utility, it show some suspicious keys(and one process), I am not sure, what could be removed absolutely safely from this?

    Logfile of HijackThis v1.97.3
    Scan saved at 22:45:55, on 4/29/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS\AVPCC.EXE
    C:\PROGRAM FILES\ATGUARD\IAMSERV.EXE
    C:\PROGRAM FILES\ATGUARD\IAMAPP.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS\AVPM.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\SYSTEM\INTERNAT.EXE
    C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
    C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS\AVPCC.EXE
    C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
    C:\WINDOWS\SYSTEM32\WINPROC32.EXE
    C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
    C:\PROGRAM FILES\SIERRA IMAGING\IMAGE EXPERT\IXAPPLET.EXE
    C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\TRAYMON.EXE
    C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\TEMP\ADWARE-CLEANER\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://4-counter.com/?a=2&b=alexxp
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://4-counter.com/?a=2&b=alexxp
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://4-counter.com/?a=2&b=alexxp
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://4-counter.com/?a=2&b=alexxp
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://4-counter.com/?a=2&b=alexxp
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://4-counter.com/?a=2&b=alexxp
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://4-counter.com/?a=2&b=alexxp
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://4-counter.com/?a=2&b=alexxp
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 159.148.1.130:8888
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [internat.exe] internat.exe
    O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [AVPCC] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpcc.exe /wait
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [AVPCC Service] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpcc.exe /Service
    O4 - HKCU\..\Run: [Windows Internet Protocol] C:\WINDOWS\SYSTEM32\WINPROC32.EXE
    O4 - Startup: WinZip Quick Pick.lnk = C:\PROGRA~1\WINZIP\wzqkpick.exe
    O4 - Startup: Camio Viewer.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .htm: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.25.152/code/PWActiveXImgCtl.CAB
    O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.tiomeg.com/tms/bin/XUpload.ocx
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37923.1238078704
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = delfi.lv
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.0.1
     
    albatros,
    #1
  2. 2004/04/29
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    First, download and run, with all browsers closed, CWShredder from the link in my signature. Then scan again with HJT and fix any of these that remain.



    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://4-counter.com/?a=2&b=alexxp
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://4-counter.com/?a=2&b=alexxp
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://4-counter.com/?a=2&b=alexxp
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://4-counter.com/?a=2&b=alexxp
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://4-counter.com/?a=2&b=alexxp
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://4-counter.com/?a=2&b=alexxp
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://4-counter.com/?a=2&b=alexxp
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://4-counter.com/?a=2&b=alexxp
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    O4 - HKCU\..\Run: [Windows Internet Protocol] C:\WINDOWS\SYSTEM32\WINPROC32.EXE
    O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.25.152/code/PWActiveXImgCtl.CAB

    These are not needed at startup and could be fixed also.

    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [internat.exe] internat.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - Startup: WinZip Quick Pick.lnk = C:\PROGRA~1\WINZIP\wzqkpick.exe


    Also suggest you install, update and run Spybot. Delete all it finds.

    Reboot, surf a bit and post another log.
     
    noahdfear,
    #2


  3. to hide this advert.

  4. 2004/04/30
    albatros

    albatros Inactive Thread Starter

    Joined:
    2004/04/17
    Messages:
    58
    Likes Received:
    0
    Is there a way to solve a problem without additional program installation(CWShredder)? I have Ad-aware installed already; plus HijackThis utility. I used the last of updating for Ad-aware, but this not helped to remove Hijacker. I suspect the WINPROC32.exe
    I discussed a problem on Ad-aware help forum, but, it looks, most likely that Ad-aware just not detect this hijacker.
     
    albatros,
    #3
  5. 2004/04/30
    Lonny Jones

    Lonny Jones Inactive Alumni

    Joined:
    2002/12/16
    Messages:
    2,252
    Likes Received:
    0
    This is a coolwebsearch hijack, only cwsredder will fix it plus
    do as noahdfear suggest becouse cwsredder wont yet target WINPROC32.EXE (might not)

    So download then run cwsredder
    then run hijackthis and fix any of the R0's and R1's that are not yours
    plus these
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    O4 - HKCU\..\Run: [Windows Internet Protocol] C:\WINDOWS\SYSTEM32\WINPROC32.EXE

    then reboot the pc come back and post a fresh hijackthis log
    C:\WINDOWS\SYSTEM32\WINPROC32.EXE delete that file to

    niether hijackthis nor cwsredder install or uninstall, they are just exe's
    they can be moved around and when your done with them you can delte them.
     
    Lonny Jones,
    #4
  6. 2004/04/30
    albatros

    albatros Inactive Thread Starter

    Joined:
    2004/04/17
    Messages:
    58
    Likes Received:
    0
    I have run CWShredder, then reboot, then scan with HijackThis.
    What should be safely fixed from this?

    Logfile of HijackThis v1.97.7
    Scan saved at 14:26:34, on 4/30/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS\AVPCC.EXE
    C:\PROGRAM FILES\ATGUARD\IAMSERV.EXE
    C:\PROGRAM FILES\ATGUARD\IAMAPP.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS\AVPM.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\SYSTEM\INTERNAT.EXE
    C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
    C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS\AVPCC.EXE
    C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
    C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
    C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\TRAYMON.EXE
    C:\PROGRAM FILES\SIERRA IMAGING\IMAGE EXPERT\IXAPPLET.EXE
    C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\TEMP\ADWARE-CLEANER\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 159.148.1.130:8888
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [internat.exe] internat.exe
    O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [AVPCC] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpcc.exe /wait
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\RunServicesMAGE EXPERT\IXAPPLET.EXE
    C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\TEMP\ADWARE-CLEANER\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 159.148.1.130:8888
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [internat.exe] internat.exe
    O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [AVPCC] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpcc.exe /wait
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [AVPCC Service] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpcc.exe /Service
    O4 - Startup: WinZip Quick Pick.lnk = C:\PROGRA~1\WINZIP\wzqkpick.exe
    O4 - Startup: Camio Viewer.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .htm: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {FDF08AD8-FF1A-11D3-AD38-00105A49098D} (MSSignData Control) - https://www.rbworld.lv/bankworld/common/Applets/MSSignData.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PW: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [AVPCC Service] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpcc.exe /Service
    O4 - Startup: WinZip Quick Pick.lnk = C:\PROGRA~1\WINZIP\wzqkpick.exe
    O4 - Startup: Camio Viewer.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .htm: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {FDF08AD8-FF1A-11D3-AD38-00105A49098D} (MSSignData Control) - https://www.rbworld.lv/bankworld/common/Applets/MSSignData.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.25.152/code/PWActiveXImgCtl.CAB
    O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.tiomeg.com/tms/bin/XUpload.ocx
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37923.1238078704
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = delfi.lv
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.0.1
    ----------------------------------
    Thanks
     
    albatros,
    #5
  7. 2004/04/30
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    The items in my first post as well as deleting the file pointed out by Lonny still applies.
     
    noahdfear,
    #6
  8. 2004/04/30
    albatros

    albatros Inactive Thread Starter

    Joined:
    2004/04/17
    Messages:
    58
    Likes Received:
    0
    What is this Running processes- C:\WINDOWS\SYSTEM\DDHELP.EXE ?

    Could this also be fixed?
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 159.148.1.130:8888

    Does the following settings not present in default Windows configuration, and should be fixed?

    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [internat.exe] internat.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - Startup: WinZip Quick Pick.lnk = C:\PROGRA~1\WINZIP\wzqkpick.exe
     
    albatros,
    #7
  9. 2004/04/30
    Lonny Jones

    Lonny Jones Inactive Alumni

    Joined:
    2002/12/16
    Messages:
    2,252
    Likes Received:
    0
    Fix this
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    then close and re-open internet explorer, run hijackthis again Tell us if it comes back

    Is see some Proxy settings, does you internet provider require them ?



    Your last log is all fugged up , dont edit them copy paste exactly as the are
     
    Lonny Jones,
    #8
  10. 2004/04/30
    albatros

    albatros Inactive Thread Starter

    Joined:
    2004/04/17
    Messages:
    58
    Likes Received:
    0
    Now browser work normal, WINPROC32 parasite is cleaned.
    NameServer = 192.168.0.1 -it looks as our provider gateway.
    I do not use proxy.

    Logfile of HijackThis v1.97.7
    Scan saved at 16:14:43, on 4/30/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS\AVPCC.EXE
    C:\PROGRAM FILES\ATGUARD\IAMSERV.EXE
    C:\PROGRAM FILES\ATGUARD\IAMAPP.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS\AVPM.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\SYSTEM\INTERNAT.EXE
    C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
    C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS\AVPCC.EXE
    C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
    C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
    C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\TRAYMON.EXE
    C:\PROGRAM FILES\SIERRA IMAGING\IMAGE EXPERT\IXAPPLET.EXE
    C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\TEMP\ADWARE-CLEANER\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 159.148.1.130:8888
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [internat.exe] internat.exe
    O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [AVPCC] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpcc.exe /wait
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - H\PROGRAM FILES\SIERRA IMAGING\IMAGE EXPERT\IXAPPLET.EXE
    C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\TEMP\ADWARE-CLEANER\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 159.148.1.130:8888
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [internat.exe] internat.exe
    O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [AVPCC] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpcc.exe /wait
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [AVPCC Service] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpcc.exe /Service
    O4 - Startup: WinZip Quick Pick.lnk = C:\PROGRA~1\WINZIP\wzqkpick.exe
    O4 - Startup: Camio Viewer.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .htm: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {FDF08AD8-FF1A-11D3-AD38-00105A49098D} (MSSignData Control) - https://www.rbworld.lv/bankworld/common/Applets/MSSignData.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {6B4788E2-BAE8-11D2-A1B4KLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [AVPCC Service] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpcc.exe /Service
    O4 - Startup: WinZip Quick Pick.lnk = C:\PROGRA~1\WINZIP\wzqkpick.exe
    O4 - Startup: Camio Viewer.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .htm: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {FDF08AD8-FF1A-11D3-AD38-00105A49098D} (MSSignData Control) - https://www.rbworld.lv/bankworld/common/Applets/MSSignData.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.25.152/code/PWActiveXImgCtl.CAB
    O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.tiomeg.com/tms/bin/XUpload.ocx
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37923.1238078704
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = delfi.lv
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.0.1
     
    albatros,
    #9
  11. 2004/04/30
    albatros

    albatros Inactive Thread Starter

    Joined:
    2004/04/17
    Messages:
    58
    Likes Received:
    0
    just corrected my thread
     
    Last edited: 2004/04/30
    albatros,
    #10
  12. 2004/04/30
    Lonny Jones

    Lonny Jones Inactive Alumni

    Joined:
    2002/12/16
    Messages:
    2,252
    Likes Received:
    0
    Looks good

    Your PC will actualy run better with fewer things starting up with windows
    take noahdfear advice and fix those optionals one's he mentioned
    if you do fix the winzip one, you might have to, in its options tell it not to start a windows startup..

    DDHELP.EXE is something to do with dixect x


    You can get more infornation on things like that looking here for proccess
    http://www.liutilities.com/products/wintaskspro/processlibrary/
    and here for startups
    http://www.windowsstartup.com/wso/search.php

    Regards
     
    Lonny Jones,
    #11
  13. 2004/04/30
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    I believe this was set by your ISP, as it resolved to one.
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 159.148.1.130:8888
    Not hurting anything. Leave it.

    Still would fix this one.
    O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.25.152/code/PWActiveXImgCtl.CAB
     
    noahdfear,
    #12
    Lonny Jones likes this.
  14. 2004/04/30
    albatros

    albatros Inactive Thread Starter

    Joined:
    2004/04/17
    Messages:
    58
    Likes Received:
    0
    It possible use msconfig System Configuration utility to clear/check box to disable a startup item. When i use HijackThis to fix - does it remove registry key?


    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [internat.exe] internat.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - Startup: WinZip Quick Pick.lnk = C:\PROGRA~1\WINZIP\wzqkpick.exe

    Thanks
     
    albatros,
    #13
  15. 2004/04/30
    Lonny Jones

    Lonny Jones Inactive Alumni

    Joined:
    2002/12/16
    Messages:
    2,252
    Likes Received:
    0
    Its better to use msconfig yes, we can use hijackthis for that, then if we want them back use its backups though.

    Be sure to read the stickys in this forum section when you have time, especial this one
    http://www.windowsbbs.com/showthread.php?t=29357
     
    Lonny Jones,
    #14
Thread Status:
Not open for further replies.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...