This topic is locked
Logfile of HijackThis v1.99.1
Scan saved at 9:44:57 PM, on 9/30/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\WINPORTRAIT\WPCTRL.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\SXGTKBAR.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\ATI MULTIMEDIA\MAIN\ATISCHED.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\PLAXO\2.2.2.4\INSTALLSTUB.EXE
C:\PROGRAM FILES\NIKON\NKVIEW6\NKVMON.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://acc.count-all.com/--/?riqrq (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://acc.count-all.com/--/?riqrq (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://1-se.com/home.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://ie-search.com/srchasst.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://www.terra.es/...rl/s/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie-search.com/srchasst.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie-search.com/home.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///c:/windows/hp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = C:\WINDOWS\system32\searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://ie-search.com/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie-search.com/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie-search.com/home.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://dxxrog.t.rack.cc/sp.php (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://ie-search.com/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://ie-search.com/srchasst.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ie-search.com/home.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://dxxrog.t.rack.cc/hp.php (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://dxxrog.t.rack.cc/hp.php (obfuscated)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Replace Search Ctl - {832BEBED-C3DA-4534-A2C2-B2FFF220C820} - C:\WINDOWS\SYSTEM\REPLACESEARCH.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\DATA\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] systray.exe
O4 - HKLM\..\Run: [PivotSoftware] C:\Program Files\WinPortrait\wpctrl.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell.dll /c /set
O4 - HKLM\..\Run: [NEU] C:\WINDOWS\NEU.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [ATI Scheduler] C:\PROGRAM FILES\ATI MULTIMEDIA\MAIN\ATISched.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [SYSfit] C:\WINDOWS\SYSfit.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.2.2.4\InstallStub.exe -a
O4 - HKCU\..\Run: [Mrqyndy] C:\WINDOWS\SYSTEM\gpqbb.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Web Search - c:\windows\ex.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {BA224D00-9553-11d2-9D65-00A0CC22CBC4} - (no file)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
O12 - Plugin for .avi: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O15 - Trusted IP range: 66.230.143.209
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -
O18 - Filter: text/html - {4F7681E5-6CAF-478D-9CB8-4CA593BEE7FB} - (no file)
O19 - User stylesheet: c:\windows\system.css
Kaspersky Mwave Scan log
File C:\WINDOWS\sys_ext.dll infected by "Trojan.Win32.StartPage.bx" Virus. Action Taken: File Deleted.
File C:\WINDOWS\SYSTEM\REPLACESEARCH.DLL tagged as not-a-virus:AdWare.ReSearch.a. No Action Taken.
File C:\PROGRA~1\EBWU\RHUO.EXE infected by "Trojan-Downloader.Win32.PurityScan.ah" Virus. Action Taken: File Deleted.
File C:\WINDOWS\SYSfit.exe infected by "Trojan.Win32.StartPage.sy" Virus. Action Taken: File Deleted.
File C:\WINDOWS\NDNuninstall4_80.exe tagged as not-a-virus:AdWare.NewDotNet. No Action Taken.
File C:\WINDOWS\Q824145.exe infected by "Trojan-Downloader.Win32.WinShow.av" Virus. Action Taken: File Deleted.
File C:\WINDOWS\NDNuninstall4_88.exe tagged as not-a-virus:AdWare.NewDotNet. No Action Taken.
File C:\WINDOWS\NDNuninstall4_94.exe tagged as not-a-virus:AdWare.NewDotNet. No Action Taken.
File C:\WINDOWS\sys.reg infected by "Trojan.WinREG.StartPage" Virus. Action Taken: File Deleted.
File C:\WINDOWS\vldial.exe tagged as not-a-virus:[bleep]-Dialer.Win32.WebDialer. No Action Taken.
File C:\WINDOWS\madise.dll infected by "Trojan.Win32.Madise.a" Virus. Action Taken: File Deleted.
File C:\WINDOWS\NDNuninstall5_40.exe tagged as not-a-virus:AdWare.NewDotNet. No Action Taken.
File C:\WINDOWS\NDNuninstall5_48.exe tagged as not-a-virus:AdWare.NewDotNet. No Action Taken.
File C:\WINDOWS\load.bat infected by "Trojan-Clicker.Win32.Qhost.a" Virus. Action Taken: File Deleted.
File C:\WINDOWS\ISTactivex.dll infected by "Trojan-Downloader.Win32.IstBar.ag" Virus. Action Taken: File Deleted.
File C:\WINDOWS\nem214.dll infected by "Trojan-Downloader.Win32.Dyfuca.j" Virus. Action Taken: File Deleted.
File C:\WINDOWS\SYSsfitb.exe tagged as not-a-virus:AdWare.EZula.i. No Action Taken.
File C:\WINDOWS\SYSTEM\q78kdov0.dll tagged as not-a-virus:AdWare.CoolWeb. No Action Taken.
File C:\WINDOWS\SYSTEM\qpaeesv0.exe tagged as not-a-virus:[bleep]-Dialer.Win32.WebDialer. No Action Taken.
File C:\WINDOWS\SYSTEM\SYSsfitb.dll tagged as not-a-virus:AdWare.ToolBar.SearchIt.g. No Action Taken.
File C:\WINDOWS\SYSTEM\replaceSearch.dll tagged as not-a-virus:AdWare.ReSearch.a. No Action Taken.
File C:\WINDOWS\SYSTEM\msmsgs.exe infected by "Trojan-Downloader.Win32.Zlob.ai" Virus. Action Taken: File Deleted.
File C:\WINDOWS\SYSTEM\q78kdov0.dll tagged as not-a-virus:AdWare.CoolWeb. No Action Taken.
File C:\WINDOWS\SYSTEM\qpaeesv0.exe tagged as not-a-virus:[bleep]-Dialer.Win32.WebDialer. No Action Taken.
File C:\WINDOWS\SYSTEM\SYSsfitb.dll tagged as not-a-virus:AdWare.ToolBar.SearchIt.g. No Action Taken.
File C:\WINDOWS\SYSTEM\replaceSearch.dll tagged as not-a-virus:AdWare.ReSearch.a. No Action Taken.
File C:\WINDOWS\HELP\Help\services.exe infected by "Email-Worm.Win32.Sober.q" Virus. Action Taken: File Deleted.
File C:\WINDOWS\HELP\Help\smss.exe infected by "Email-Worm.Win32.Sober.q" Virus. Action Taken: File Deleted.
File C:\WINDOWS\HELP\Help\csrss.exe infected by "Email-Worm.Win32.Sober.q" Virus. Action Taken: File Deleted.
File C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchXPlugin3.zip infected by "Password-protected-EXE" Virus. Action Taken: File Renamed.
File C:\WINDOWS\NDNuninstall4_80.exe tagged as not-a-virus:AdWare.NewDotNet. No Action Taken.
File C:\WINDOWS\NDNuninstall4_88.exe tagged as not-a-virus:AdWare.NewDotNet. No Action Taken.
File C:\WINDOWS\NDNuninstall4_94.exe tagged as not-a-virus:AdWare.NewDotNet. No Action Taken.
File C:\WINDOWS\vldial.exe tagged as not-a-virus:[bleep]-Dialer.Win32.WebDialer. No Action Taken.
File C:\WINDOWS\NDNuninstall5_40.exe tagged as not-a-virus:AdWare.NewDotNet. No Action Taken.
File C:\WINDOWS\NDNuninstall5_48.exe tagged as not-a-virus:AdWare.NewDotNet. No Action Taken.
File C:\WINDOWS\SYSsfitb.exe tagged as not-a-virus:AdWare.EZula.i. No Action Taken.
File C:\WINDOWS\Connection Wizard\Status\fhgeasyc.exe infected by "Email-Worm.Win32.Sober.q" Virus. Action Taken: File Deleted.
File C:\Program Files\Webdialer\vldial.exe tagged as not-a-virus:[bleep]-Dialer.Win32.WebDialer. No Action Taken.
File C:\Program Files\Norton AntiVirus V460\Quarantine\444A3FF4.exe infected by "Trojan.Win32.StartPage.y" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus V460\Quarantine\44533DE9.hta infected by "Trojan.VBS.StartPage.h" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus V460\Quarantine\11E83DF0.exe infected by "Trojan-Downloader.Win32.Femad.j" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus V460\Quarantine\12647967.exe infected by "Backdoor.Win32.Jeemp.c" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus V460\Quarantine\128E1B38.exe infected by "Trojan-Downloader.Win32.Small.cb" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus V460\Quarantine\17C3057E.exe infected by "Trojan-Downloader.Win32.Donn.aa" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus V460\Quarantine\3B8B101E.css infected by "Trojan-Clicker.Win32.Qhost.a" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus V460\Quarantine\3B916417.exe infected by "Backdoor.Win32.Jeemp.c" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus V460\Quarantine\3B916417.hta infected by "Trojan.VBS.Valg" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus V460\Quarantine\03120F32.htm infected by "Exploit.JS.ActiveXComponent" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus V460\Quarantine\17607B66.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus V460\Quarantine\73911081.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus V460\Quarantine\08DA4DE0.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus V460\Quarantine\35BF474D.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus V460\Quarantine\36694E92.class infected by "Trojan.Java.ClassLoader.c" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus V460\Quarantine\3A7B2018.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus V460\Quarantine\3ADD0BAC.class infected by "Trojan.Java.ClassLoader.c" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus V460\Quarantine\3AED5D9A.htm infected by "Trojan-Downloader.JS.Small.d" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus V460\Quarantine\73ED5C74.exe infected by "Trojan-Dropper.Win32.Small.cu" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus V460\Quarantine\73F3306D.exe infected by "Trojan.Win32.StartPage.kp" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus V460\Quarantine\47E87E29.exe infected by "Trojan.Win32.Small.bm" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus V460\Quarantine\458518DA.exe infected by "Trojan-Downloader.Win32.IstBar.gen" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus V460\Quarantine\458C6CD3.exe infected by "Trojan.Win32.Zapchast" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus V460\Quarantine\48D946A6.exe infected by "Trojan.Win32.StartPage.ey" Virus. Action Taken: File Deleted.
File C:\ht.hta infected by "Trojan-Clicker.JS.gen" Virus. Action Taken: File Deleted.
File C:\~WRF0409.tmp infected by "Trojan-Dropper.Win32.Small.adx" Virus. Action Taken: File Deleted.
Sign In
Create Account
