• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

HijackThis log. anything wrong?

VenomXt

Blame me for the RAZR's
#1
Any one see anything in this hijack this log that looks abnormal. win 98 machine.. (crys). I had him run spy bot on it before this was created.

Logfile of HijackThis v1.99.1
Scan saved at 10:08:47 PM, on 09/27/2006
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMPAQ\COMPAQ EASY ACCESS BUTTON SUPPORT\CPQBZL.EXE
C:\PROGRAM FILES\ENCOMPASS\MONITOR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\AMEDDTCT.EXE
C:\PROGRA~1\COMPAQ\COMPAQ~1\OSD.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATIKEY32.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\COMPAQ\INTERNET\WATCHDOG.EXE
C:\WINDOWS\SYSTEM\MONSERV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\3CMLNKW.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\POPUPWITHCAST\SEPTPOP06APSEPT.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\UUUO\SMSS.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\DISTILLR\ACROTRAY.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOHMR08.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\OODSREGR.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOEVM08.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSTS08.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.compaq.com/scripts/consumer/redir.asp?s=default&i=enu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.compaq.com/scripts/consumer/redir.asp?s=default&i=enu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.compaq.com/scripts/consumer/redir.asp?s=default&i=enu
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {BCAE90A7-2843-38B5-6BE0-518009390496} - C:\WINDOWS\SYSTEM\ONOK.DLL
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLST.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {BCAE90A7-2843-38B5-6BE0-518009390496} - C:\WINDOWS\SYSTEM\ONOK.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Essdc] essdc.exe
O4 - HKLM\..\Run: [AtiKey] Atikey32.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [Encompass Monitor] C:\Program Files\Encompass\MONITOR.EXE
O4 - HKLM\..\Run: [Compaq Internet Setup] C:\Compaq\Internet\InetWizard.exe /RUN
O4 - HKLM\..\Run: [Watch Dog Program] C:\COMPAQ\INTERNET\WATCHDOG.EXE
O4 - HKLM\..\Run: [QuickenSEMessage] C:\QUICKENW\QSEMSG.EXE
O4 - HKLM\..\Run: [BillMinder] C:\QUICKENW\BILLMIND.EXE
O4 - HKLM\..\Run: [Alps Electric USB Server] MONSERV.EXE
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [3Cmlink] c:\windows\SYSTEM\3cmlnkW.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Media Access] C:\PROGRAM FILES\MEDIA ACCESS\MediaAccK.exe
O4 - HKLM\..\Run: [Pvsmlfp] C:\PROGRAM FILES\LWYL\IVXFUX.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [septpop06apsept] C:\PROGRAM FILES\POPUPWITHCAST\SEPTPOP06APSEPT.exe
O4 - HKLM\..\Run: [smgad85c] RUNDLL32.EXE w1ed1e2b.dll,n 004ad858000000021ed1e2b
O4 - HKLM\..\Run: [webrebates] C:\Program Files\WebRebates4\webrebates.dll
O4 - HKLM\..\Run: [{C1-18-8D-DF-ZN}] C:\WINDOWS\SYSTEM\OODSREGR.EXE ELT001
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\SYSTEM\QWINPPES.EXE ELT001
O4 - HKLM\..\RunServices: [CPQEASYACC] C:\Program Files\Compaq\Compaq Easy Access Button Support\cpqbzl.exe
O4 - HKLM\..\RunServices: [EncMonitor] C:\Program Files\Encompass\Monitor.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [CAISafe] C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O4 - HKCU\..\Run: [ModemInstallAssistant] D:\SUPPORT\MODEMINSTALL.EXE
O4 - HKCU\..\Run: [Tedl] "C:\WINDOWS\uuuo\smss.exe" -vt yazb
O4 - HKCU\..\Run: [Zvnm] C:\My Documents\Daur\rtaonhf.exe
O4 - Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
O4 - Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\TIELT001.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\SYSTEM\qwinppes.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtw32.dll
O13 - WWW. Prefix: http://
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
 

j79zlr

Glaanies script monkey
Political User
#3
Have HJT remove:

O4 - HKLM\..\Run: [Media Access] C:\PROGRAM FILES\MEDIA ACCESS\MediaAccK.exe
O4 - HKLM\..\Run: [Pvsmlfp] C:\PROGRAM FILES\LWYL\IVXFUX.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [septpop06apsept] C:\PROGRAM FILES\POPUPWITHCAST\SEPTPOP06APSEPT.exe
O4 - HKLM\..\Run: [smgad85c] RUNDLL32.EXE w1ed1e2b.dll,n 004ad858000000021ed1e2b
O4 - HKLM\..\Run: [webrebates] C:\Program Files\WebRebates4\webrebates.dll
O4 - HKLM\..\Run: [{C1-18-8D-DF-ZN}] C:\WINDOWS\SYSTEM\OODSREGR.EXE ELT001
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\SYSTEM\QWINPPES.EXE ELT001
O4 - HKCU\..\Run: [Tedl] "C:\WINDOWS\uuuo\smss.exe" -vt yazb
O4 - HKCU\..\Run: [Zvnm] C:\My Documents\Daur\rtaonhf.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\TIELT001.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\SYSTEM\qwinppes.exe
O13 - WWW. Prefix: http://
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)

Reboot into safemode and delete:

C:\My Documents\Daur\rtaonhf.exe <--file
C:\PROGRAM FILES\LWYL\ <--folder
C:\PROGRAM FILES\MEDIA ACCESS\ <--folder
C:\PROGRAM FILES\POPUPWITHCAST\ <--folder
C:\Program Files\WebRebates4\ <--folder
C:\WINDOWS\SYSTEM\OODSREGR.EXE <--file
C:\WINDOWS\SYSTEM\QWINPPES.EXE <--file
C:\WINDOWS\uuuo\ <--folder
C:\WINDOWS\TIELT001.exe <--file

Reboot and post a new log.
 

Members online

No members online now.

Latest posts

Latest profile posts

Electronic Punk wrote on Perris Calderon's profile.
All good still mate?
Hello, is there anybody in there? Just nod if you can hear me ...
Xie
What a long strange trip it's been. =)

Forum statistics

Threads
61,961
Messages
673,239
Members
89,014
Latest member
sanoravies