hijackthis

D

Dirk Nachbar

hi

i got a problem with pop-ups and a startpage, which i haven't chosen myself.
Could someone check my hijack log file and tell me what I have to eliminate.
Thanks

Logfile of HijackThis v1.97.7
Scan saved at 13:37:25, on 06/01/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\TRAYP95.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\WINAMP3\WINAMPA.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\WINLOGON.EXE
C:\PROGRAM FILES\ONTRACK\SYSTEMSUITE\MXTASK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\TOTALCMD\TOTALCMD.EXE
C:\WINDOWS\TEMP\_TC\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
C:\WINDOWS\homepage.htm
F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM
FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {00110011-4B0B-44D5-9718-90C88817369B} -
C:\WINDOWS\NavExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLENAV.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\ONTRACK\SYSTEM~1\MEMCHECK.EXE
O4 - HKLM\..\Run: [TrayPopup] C:\WINDOWS\trayp95.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common
Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell.dll /c /set
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKCU\..\Run: [winlogon] c:\windows\winlogon.exe
O4 - HKCU\..\Run: [QuickTime Task] c:\windows\qttasks.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
O4 - Startup: SystemSuite.lnk = C:\Program
Files\Ontrack\SystemSuite\MXTask.exe
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\DOWNLOADED
PROGRAM FILES\GOOGLENAV.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page -
res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLENAV.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\DOWNLOADED
PROGRAM FILES\GOOGLENAV.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\DOWNLOADED
PROGRAM FILES\GOOGLENAV.DLL/cmbacklinks.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: RealGuide (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} (Google Activate) -
http://toolbar.google.com/data/de/deleon/1.1.62-deleon/GoogleNav.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX
Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -
http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-9490133
8C922/wmv9VCM.CAB
O19 - User stylesheet: C:\WINDOWS\sample.txt
 
D

Dirk Nachbar

sorry, it seems not to have worked. I still have this weird start page. any
other suggestions?
 
I

Ian

Dirk said:
hi

i got a problem with pop-ups and a startpage, which i haven't chosen
myself. Could someone check my hijack log file and tell me what I
have to eliminate. Thanks

Logfile of HijackThis v1.97.7
Scan saved at 13:37:25, on 06/01/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\TRAYP95.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\WINAMP3\WINAMPA.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\WINLOGON.EXE
C:\PROGRAM FILES\ONTRACK\SYSTEMSUITE\MXTASK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\TOTALCMD\TOTALCMD.EXE
C:\WINDOWS\TEMP\_TC\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
C:\WINDOWS\homepage.htm
F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {00110011-4B0B-44D5-9718-90C88817369B} -
C:\WINDOWS\NavExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLENAV.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Fix-It AV]
C:\PROGRA~1\ONTRACK\SYSTEM~1\MEMCHECK.EXE
O4 - HKLM\..\Run: [TrayPopup] C:\WINDOWS\trayp95.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common
Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell.dll /c
/set
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager]
C:\WINDOWS\SYSTEM\MDM.EXE O4 - HKCU\..\Run: [winlogon]
c:\windows\winlogon.exe
O4 - HKCU\..\Run: [QuickTime Task] c:\windows\qttasks.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
O4 - Startup: SystemSuite.lnk = C:\Program
Files\Ontrack\SystemSuite\MXTask.exe
O8 - Extra context menu item: &Google Search -
res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLENAV.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page -
res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLENAV.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages -
res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLENAV.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links -
res://C:\WINDOWS\DOWNLOADED PROGRAM
FILES\GOOGLENAV.DLL/cmbacklinks.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: RealGuide (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} (Google Activate) -
http://toolbar.google.com/data/de/deleon/1.1.62-deleon/GoogleNav.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX
Control) -
http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab O16
- DPF: {33564D57-0000-0010-8000-00AA00389B71} -
http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-9490133
8C922/wmv9VCM.CAB
O19 - User stylesheet: C:\WINDOWS\sample.txt
Click to expand...

Download Ad Aware from http://makeashorterlink.com/?V66A319F6
and also Spybot S&D from http://makeashorterlink.com/?U28A519F6

Install both, update them and scan.

Then install Spyware Blaster from http://makeashorterlink.com/?Y2DA249F6 and
keep it updated.

See if that helps.

Ian
 
K

kurt wismer

taff said:
Spybot Anti trojan should sort it out.
http://www.safer-networking.org/index.php?page=mirrors
Click to expand...

indeed... folks, please use malware specific tools first before
resorting to hijackthis and making us hunt through google for you to
figure out which things belong and which don't...

hijackthis is good, but it should be used as one of the last resorts...
there are good tools out there that already know what a wide variety of
bad things look like and can usually diagnose problems for you, which
means those tools should probably be able to help you much faster and
with less effort on everyone's part...
 
R

Robin T Cox

hi

i got a problem with pop-ups and a startpage, which i haven't chosen
myself. Could someone check my hijack log file and tell me what I have
to eliminate. Thanks

Logfile of HijackThis v1.97.7
Scan saved at 13:37:25, on 06/01/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\TRAYP95.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\WINAMP3\WINAMPA.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\WINLOGON.EXE
C:\PROGRAM FILES\ONTRACK\SYSTEMSUITE\MXTASK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\TOTALCMD\TOTALCMD.EXE
C:\WINDOWS\TEMP\_TC\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
C:\WINDOWS\homepage.htm
F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {00110011-4B0B-44D5-9718-90C88817369B} -
C:\WINDOWS\NavExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLENAV.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Fix-It AV]
C:\PROGRA~1\ONTRACK\SYSTEM~1\MEMCHECK.EXE O4 - HKLM\..\Run:
[TrayPopup] C:\WINDOWS\trayp95.exe O4 - HKLM\..\Run: [TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell.dll /c
/set O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager]
C:\WINDOWS\SYSTEM\MDM.EXE O4 - HKCU\..\Run: [winlogon]
c:\windows\winlogon.exe O4 - HKCU\..\Run: [QuickTime Task]
c:\windows\qttasks.exe O4 - Startup: Microsoft Office.lnk = C:\Program
Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: SystemSuite.lnk = C:\Program
Files\Ontrack\SystemSuite\MXTask.exe
O8 - Extra context menu item: &Google Search -
res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLENAV.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page -
res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLENAV.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages -
res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLENAV.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links -
res://C:\WINDOWS\DOWNLOADED PROGRAM
FILES\GOOGLENAV.DLL/cmbacklinks.html O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: RealGuide (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} (Google Activate) -
http://toolbar.google.com/data/de/deleon/1.1.62-deleon/GoogleNav.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX
Control) -
http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab O16
- DPF: {33564D57-0000-0010-8000-00AA00389B71} -
http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94
90133 8C922/wmv9VCM.CAB
O19 - User stylesheet: C:\WINDOWS\sample.txt
Click to expand...
O2 - BHO: (no name) - {00110011-4B0B-44D5-9718-90C88817369B} -
C:\WINDOWS\NavExt.dll
Click to expand...

This is a CoolWebSearch parasite variant. Use CWShredder to remove, then
repost:
http://www.merijn.org/files/CWShredder.exe
 
F

FromTheRafters

Dirk Nachbar said:
hi

i got a problem with pop-ups and a startpage, which i haven't chosen myself.
Could someone check my hijack log file and tell me what I have to eliminate.
Thanks
Click to expand...

[snipped log]

Have you used any scanners (Ad-Aware, Spybot S&D, or AV)?
That would be the best way to identify and remove many known
unwanted programs.
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
Click to expand...
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
Click to expand...

Although these may well be legitimate registry entries, you would
want to make sure that you don't have a "rundll32.exe" in the
system directory (the legitimate one is in the "windows" directory).
 
H

Heather

Dirk.......post the results into the Spyware Forum and within a very
short time, one of the gurus will tell you what to remove. I have used
them twice and they are excellent!!

http://forums.spywareinfo.com/index.php?s=&act=Post&CODE=00&f=11

Heather

Dirk Nachbar said:
hi

i got a problem with pop-ups and a startpage, which i haven't chosen myself.
Could someone check my hijack log file and tell me what I have to eliminate.
Thanks

Logfile of HijackThis v1.97.7
Scan saved at 13:37:25, on 06/01/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\TRAYP95.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\WINAMP3\WINAMPA.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\WINLOGON.EXE
C:\PROGRAM FILES\ONTRACK\SYSTEMSUITE\MXTASK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\TOTALCMD\TOTALCMD.EXE
C:\WINDOWS\TEMP\_TC\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
C:\WINDOWS\homepage.htm
F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM
FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {00110011-4B0B-44D5-9718-90C88817369B} -
C:\WINDOWS\NavExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLENAV.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\ONTRACK\SYSTEM~1\MEMCHECK.EXE
O4 - HKLM\..\Run: [TrayPopup] C:\WINDOWS\trayp95.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common
Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell.dll /c /set
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKCU\..\Run: [winlogon] c:\windows\winlogon.exe
O4 - HKCU\..\Run: [QuickTime Task] c:\windows\qttasks.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
O4 - Startup: SystemSuite.lnk = C:\Program
Files\Ontrack\SystemSuite\MXTask.exe
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\DOWNLOADED
PROGRAM FILES\GOOGLENAV.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page -
res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLENAV.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\DOWNLOADED
PROGRAM FILES\GOOGLENAV.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\DOWNLOADED
PROGRAM FILES\GOOGLENAV.DLL/cmbacklinks.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: RealGuide (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} (Google Activate) -
http://toolbar.google.com/data/de/deleon/1.1.62-deleon/GoogleNav.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX
Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -
http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-9490133
8C922/wmv9VCM.CAB
O19 - User stylesheet: C:\WINDOWS\sample.txt
Click to expand...
 
D

Dirk Nachbar

actually this shredder worked best, thanks

Dirk

--
email: (e-mail address removed)
Robin T Cox said:
hi

i got a problem with pop-ups and a startpage, which i haven't chosen
myself. Could someone check my hijack log file and tell me what I have
to eliminate. Thanks

Logfile of HijackThis v1.97.7
Scan saved at 13:37:25, on 06/01/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\TRAYP95.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\WINAMP3\WINAMPA.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\WINLOGON.EXE
C:\PROGRAM FILES\ONTRACK\SYSTEMSUITE\MXTASK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\TOTALCMD\TOTALCMD.EXE
C:\WINDOWS\TEMP\_TC\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
C:\WINDOWS\homepage.htm
F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {00110011-4B0B-44D5-9718-90C88817369B} -
C:\WINDOWS\NavExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLENAV.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Fix-It AV]
C:\PROGRA~1\ONTRACK\SYSTEM~1\MEMCHECK.EXE O4 - HKLM\..\Run:
[TrayPopup] C:\WINDOWS\trayp95.exe O4 - HKLM\..\Run: [TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell.dll /c
/set O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager]
C:\WINDOWS\SYSTEM\MDM.EXE O4 - HKCU\..\Run: [winlogon]
c:\windows\winlogon.exe O4 - HKCU\..\Run: [QuickTime Task]
c:\windows\qttasks.exe O4 - Startup: Microsoft Office.lnk = C:\Program
Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: SystemSuite.lnk = C:\Program
Files\Ontrack\SystemSuite\MXTask.exe
O8 - Extra context menu item: &Google Search -
res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLENAV.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page -
res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLENAV.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages -
res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLENAV.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links -
res://C:\WINDOWS\DOWNLOADED PROGRAM
FILES\GOOGLENAV.DLL/cmbacklinks.html O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: RealGuide (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} (Google Activate) -
http://toolbar.google.com/data/de/deleon/1.1.62-deleon/GoogleNav.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX
Control) -
http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab O16
- DPF: {33564D57-0000-0010-8000-00AA00389B71} -
http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94
90133 8C922/wmv9VCM.CAB
O19 - User stylesheet: C:\WINDOWS\sample.txt
Click to expand...
O2 - BHO: (no name) - {00110011-4B0B-44D5-9718-90C88817369B} -
C:\WINDOWS\NavExt.dll
Click to expand...

This is a CoolWebSearch parasite variant. Use CWShredder to remove, then
repost:
http://www.merijn.org/files/CWShredder.exe
Click to expand...
 
J

John Coutts

indeed... folks, please use malware specific tools first before
resorting to hijackthis and making us hunt through google for you to
figure out which things belong and which don't...

hijackthis is good, but it should be used as one of the last resorts...
there are good tools out there that already know what a wide variety of
bad things look like and can usually diagnose problems for you, which
means those tools should probably be able to help you much faster and
with less effort on everyone's part...
Click to expand...
******************* REPLY SEPARATER ***********************
I disagree completely. I have used HiJackThis to clean up many machines, and it
is far better than installing a bunch of specific detectors. If the customer
doesn't know what something is, I remove it. If they find that they do want
something that has been removed, it can always be reinstalled. I have not
received one complaint. On the contrary, they have always thanked me for doing
what they did not how. In this case, I would normally have removed 3/4 of what
is on the provided list using the hints from the HijackThis log Tutorial.

In this particular case however, I believe the main problem is NavExt, which is
a browser hijacker implemented as a browser helper object. The hijacker will
redirect your browser to www.search-space.com. For more information see:

http://www.kephyr.com/spywarescanner/library/navext/index.phtml

J.A. Coutts
Systems Engineer
MantaNet/TravPro
 
K

kurt wismer

John said:
******************* REPLY SEPARATER ***********************
I disagree completely. I have used HiJackThis to clean up many machines, and it
is far better than installing a bunch of specific detectors. If the customer
doesn't know what something is, I remove it.
Click to expand...

well there's our difference then... i'm more interested in people
learning how to solve their own problems than learning how to become
dependant on me...

now, if you (a technically minded individual who knows how to solve
problems) want to run hijackthis on customers computers *for them* and
use that as a diagnostic tool, by all means do so... but for folks who
don't know how to solve their own problems yet it's better for *them*
to use tools that can perform a diagnosis with little or no input from
the user - and should that fail then they should come here looking for
additional assistance...

in other words the user at hand should use the tools that are more
appropriate to them, not you (unless you are the user at hand)...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

no browse ,ping by name-hijack log? 1
Computer freezes 13
My browser is hijacked can anyone help me? 23
Attack by Unknowns and Defunct Norton AV and System Restore 1
Downloader.Swizzor by AVG 2
trojans bispy.a and bispy.b 4
Help needed on IE6 after attack of ibm00003 virus 30
Need Help Removing Popuppers.com spam 28

Top