HijackThis log. anything wrong?

VenomXt

VenomXt

\
Joined
11 Mar 2004
Messages
3,454
Any one see anything in this hijack this log that looks abnormal. win 98 machine.. (crys). I had him run spy bot on it before this was created.

Logfile of HijackThis v1.99.1
Scan saved at 10:08:47 PM, on 09/27/2006
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMPAQ\COMPAQ EASY ACCESS BUTTON SUPPORT\CPQBZL.EXE
C:\PROGRAM FILES\ENCOMPASS\MONITOR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\AMEDDTCT.EXE
C:\PROGRA~1\COMPAQ\COMPAQ~1\OSD.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATIKEY32.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\COMPAQ\INTERNET\WATCHDOG.EXE
C:\WINDOWS\SYSTEM\MONSERV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\3CMLNKW.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\POPUPWITHCAST\SEPTPOP06APSEPT.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\UUUO\SMSS.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\DISTILLR\ACROTRAY.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOHMR08.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\OODSREGR.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOEVM08.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSTS08.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.compaq.com/scripts/consumer/redir.asp?s=default&i=enu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.compaq.com/scripts/consumer/redir.asp?s=default&i=enu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.compaq.com/scripts/consumer/redir.asp?s=default&i=enu
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {BCAE90A7-2843-38B5-6BE0-518009390496} - C:\WINDOWS\SYSTEM\ONOK.DLL
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLST.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {BCAE90A7-2843-38B5-6BE0-518009390496} - C:\WINDOWS\SYSTEM\ONOK.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Essdc] essdc.exe
O4 - HKLM\..\Run: [AtiKey] Atikey32.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [Encompass Monitor] C:\Program Files\Encompass\MONITOR.EXE
O4 - HKLM\..\Run: [Compaq Internet Setup] C:\Compaq\Internet\InetWizard.exe /RUN
O4 - HKLM\..\Run: [Watch Dog Program] C:\COMPAQ\INTERNET\WATCHDOG.EXE
O4 - HKLM\..\Run: [QuickenSEMessage] C:\QUICKENW\QSEMSG.EXE
O4 - HKLM\..\Run: [BillMinder] C:\QUICKENW\BILLMIND.EXE
O4 - HKLM\..\Run: [Alps Electric USB Server] MONSERV.EXE
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [3Cmlink] c:\windows\SYSTEM\3cmlnkW.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Media Access] C:\PROGRAM FILES\MEDIA ACCESS\MediaAccK.exe
O4 - HKLM\..\Run: [Pvsmlfp] C:\PROGRAM FILES\LWYL\IVXFUX.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [septpop06apsept] C:\PROGRAM FILES\POPUPWITHCAST\SEPTPOP06APSEPT.exe
O4 - HKLM\..\Run: [smgad85c] RUNDLL32.EXE w1ed1e2b.dll,n 004ad858000000021ed1e2b
O4 - HKLM\..\Run: [webrebates] C:\Program Files\WebRebates4\webrebates.dll
O4 - HKLM\..\Run: [{C1-18-8D-DF-ZN}] C:\WINDOWS\SYSTEM\OODSREGR.EXE ELT001
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\SYSTEM\QWINPPES.EXE ELT001
O4 - HKLM\..\RunServices: [CPQEASYACC] C:\Program Files\Compaq\Compaq Easy Access Button Support\cpqbzl.exe
O4 - HKLM\..\RunServices: [EncMonitor] C:\Program Files\Encompass\Monitor.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [CAISafe] C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O4 - HKCU\..\Run: [ModemInstallAssistant] D:\SUPPORT\MODEMINSTALL.EXE
O4 - HKCU\..\Run: [Tedl] "C:\WINDOWS\uuuo\smss.exe" -vt yazb
O4 - HKCU\..\Run: [Zvnm] C:\My Documents\Daur\rtaonhf.exe
O4 - Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
O4 - Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\TIELT001.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\SYSTEM\qwinppes.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtw32.dll
O13 - WWW. Prefix: http://
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
Click to expand...
 
SEPTPOP06APSEPT.EXE doesn't look good from here!! Try googling it.
 
Have HJT remove:

O4 - HKLM\..\Run: [Media Access] C:\PROGRAM FILES\MEDIA ACCESS\MediaAccK.exe
O4 - HKLM\..\Run: [Pvsmlfp] C:\PROGRAM FILES\LWYL\IVXFUX.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [septpop06apsept] C:\PROGRAM FILES\POPUPWITHCAST\SEPTPOP06APSEPT.exe
O4 - HKLM\..\Run: [smgad85c] RUNDLL32.EXE w1ed1e2b.dll,n 004ad858000000021ed1e2b
O4 - HKLM\..\Run: [webrebates] C:\Program Files\WebRebates4\webrebates.dll
O4 - HKLM\..\Run: [{C1-18-8D-DF-ZN}] C:\WINDOWS\SYSTEM\OODSREGR.EXE ELT001
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\SYSTEM\QWINPPES.EXE ELT001
O4 - HKCU\..\Run: [Tedl] "C:\WINDOWS\uuuo\smss.exe" -vt yazb
O4 - HKCU\..\Run: [Zvnm] C:\My Documents\Daur\rtaonhf.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\TIELT001.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\SYSTEM\qwinppes.exe
O13 - WWW. Prefix: http://
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)

Reboot into safemode and delete:

C:\My Documents\Daur\rtaonhf.exe <--file
C:\PROGRAM FILES\LWYL\ <--folder
C:\PROGRAM FILES\MEDIA ACCESS\ <--folder
C:\PROGRAM FILES\POPUPWITHCAST\ <--folder
C:\Program Files\WebRebates4\ <--folder
C:\WINDOWS\SYSTEM\OODSREGR.EXE <--file
C:\WINDOWS\SYSTEM\QWINPPES.EXE <--file
C:\WINDOWS\uuuo\ <--folder
C:\WINDOWS\TIELT001.exe <--file

Reboot and post a new log.
 
You must log in or register to reply here.

Members online

No members online now.
Total: 413 (members: 0, guests: 413)

Affiliates

lunarsoft.net techzonez.com

- Contact us to trade links -

OSNN OSNN NTFS XP-erience

Latest profile posts

Steevo
Steevo
Also Hi EP and people. I found this place again while looking through a oooollllllldddd backup. I have filled over 10TB and was looking at my collection of antiques. Any bids on the 500Mhz Win 95 fix?
•••
Steevo
Steevo
Any of the SP crew still out there?
•••
Xie
Xie wrote on Electronic Punk's profile.
Impressed you have kept this alive this long EP! So many sites have come and gone. :(

Just did some crude math and I apparently joined almost 18yrs ago, how is that possible???
•••
N
Nismo83
hello peeps... is been some time since i last came here.
•••
Electronic Punk
Electronic Punk wrote on Sazar's profile.
Rest in peace my friend, been trying to find you and finally did in the worst way imaginable.
•••

Forum statistics

Threads
62,015
Messages
673,494
Members
5,621
Latest member
naeemsafi
Back