• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

HijackThis log. anything wrong?

VenomXt

Blame me for the RAZR's
#1
Any one see anything in this hijack this log that looks abnormal. win 98 machine.. (crys). I had him run spy bot on it before this was created.

Logfile of HijackThis v1.99.1
Scan saved at 10:08:47 PM, on 09/27/2006
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMPAQ\COMPAQ EASY ACCESS BUTTON SUPPORT\CPQBZL.EXE
C:\PROGRAM FILES\ENCOMPASS\MONITOR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\AMEDDTCT.EXE
C:\PROGRA~1\COMPAQ\COMPAQ~1\OSD.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATIKEY32.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\COMPAQ\INTERNET\WATCHDOG.EXE
C:\WINDOWS\SYSTEM\MONSERV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\3CMLNKW.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\POPUPWITHCAST\SEPTPOP06APSEPT.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\UUUO\SMSS.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\DISTILLR\ACROTRAY.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOHMR08.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\OODSREGR.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOEVM08.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSTS08.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.compaq.com/scripts/consumer/redir.asp?s=default&i=enu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.compaq.com/scripts/consumer/redir.asp?s=default&i=enu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.compaq.com/scripts/consumer/redir.asp?s=default&i=enu
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {BCAE90A7-2843-38B5-6BE0-518009390496} - C:\WINDOWS\SYSTEM\ONOK.DLL
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLST.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {BCAE90A7-2843-38B5-6BE0-518009390496} - C:\WINDOWS\SYSTEM\ONOK.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Essdc] essdc.exe
O4 - HKLM\..\Run: [AtiKey] Atikey32.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [Encompass Monitor] C:\Program Files\Encompass\MONITOR.EXE
O4 - HKLM\..\Run: [Compaq Internet Setup] C:\Compaq\Internet\InetWizard.exe /RUN
O4 - HKLM\..\Run: [Watch Dog Program] C:\COMPAQ\INTERNET\WATCHDOG.EXE
O4 - HKLM\..\Run: [QuickenSEMessage] C:\QUICKENW\QSEMSG.EXE
O4 - HKLM\..\Run: [BillMinder] C:\QUICKENW\BILLMIND.EXE
O4 - HKLM\..\Run: [Alps Electric USB Server] MONSERV.EXE
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [3Cmlink] c:\windows\SYSTEM\3cmlnkW.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Media Access] C:\PROGRAM FILES\MEDIA ACCESS\MediaAccK.exe
O4 - HKLM\..\Run: [Pvsmlfp] C:\PROGRAM FILES\LWYL\IVXFUX.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [septpop06apsept] C:\PROGRAM FILES\POPUPWITHCAST\SEPTPOP06APSEPT.exe
O4 - HKLM\..\Run: [smgad85c] RUNDLL32.EXE w1ed1e2b.dll,n 004ad858000000021ed1e2b
O4 - HKLM\..\Run: [webrebates] C:\Program Files\WebRebates4\webrebates.dll
O4 - HKLM\..\Run: [{C1-18-8D-DF-ZN}] C:\WINDOWS\SYSTEM\OODSREGR.EXE ELT001
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\SYSTEM\QWINPPES.EXE ELT001
O4 - HKLM\..\RunServices: [CPQEASYACC] C:\Program Files\Compaq\Compaq Easy Access Button Support\cpqbzl.exe
O4 - HKLM\..\RunServices: [EncMonitor] C:\Program Files\Encompass\Monitor.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [CAISafe] C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O4 - HKCU\..\Run: [ModemInstallAssistant] D:\SUPPORT\MODEMINSTALL.EXE
O4 - HKCU\..\Run: [Tedl] "C:\WINDOWS\uuuo\smss.exe" -vt yazb
O4 - HKCU\..\Run: [Zvnm] C:\My Documents\Daur\rtaonhf.exe
O4 - Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
O4 - Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\TIELT001.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\SYSTEM\qwinppes.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtw32.dll
O13 - WWW. Prefix: http://
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
 

j79zlr

Glaanies script monkey
Political User
#3
Have HJT remove:

O4 - HKLM\..\Run: [Media Access] C:\PROGRAM FILES\MEDIA ACCESS\MediaAccK.exe
O4 - HKLM\..\Run: [Pvsmlfp] C:\PROGRAM FILES\LWYL\IVXFUX.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [septpop06apsept] C:\PROGRAM FILES\POPUPWITHCAST\SEPTPOP06APSEPT.exe
O4 - HKLM\..\Run: [smgad85c] RUNDLL32.EXE w1ed1e2b.dll,n 004ad858000000021ed1e2b
O4 - HKLM\..\Run: [webrebates] C:\Program Files\WebRebates4\webrebates.dll
O4 - HKLM\..\Run: [{C1-18-8D-DF-ZN}] C:\WINDOWS\SYSTEM\OODSREGR.EXE ELT001
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\SYSTEM\QWINPPES.EXE ELT001
O4 - HKCU\..\Run: [Tedl] "C:\WINDOWS\uuuo\smss.exe" -vt yazb
O4 - HKCU\..\Run: [Zvnm] C:\My Documents\Daur\rtaonhf.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\TIELT001.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\SYSTEM\qwinppes.exe
O13 - WWW. Prefix: http://
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)

Reboot into safemode and delete:

C:\My Documents\Daur\rtaonhf.exe <--file
C:\PROGRAM FILES\LWYL\ <--folder
C:\PROGRAM FILES\MEDIA ACCESS\ <--folder
C:\PROGRAM FILES\POPUPWITHCAST\ <--folder
C:\Program Files\WebRebates4\ <--folder
C:\WINDOWS\SYSTEM\OODSREGR.EXE <--file
C:\WINDOWS\SYSTEM\QWINPPES.EXE <--file
C:\WINDOWS\uuuo\ <--folder
C:\WINDOWS\TIELT001.exe <--file

Reboot and post a new log.
 

Members online

No members online now.

Latest posts

Latest profile posts

Hello, is there anybody in there? Just nod if you can hear me ...
Xie
What a long strange trip it's been. =)

Forum statistics

Threads
61,961
Messages
673,239
Members
89,014
Latest member
sanoravies