Hot_kiss
-
IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
- Status
1 - 20 of 30 Posts
Joined
·
2,434 Posts
a good antivirus does not swat it???
Joined
·
46,465 Posts
Please do this. Click here to download Hijack This. Click on the Hijackthis.exe.
Click the "Scan" button when the scan is finished the scan button will become "Save Log" click that and save the log.
Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required. Someone here will be glad to advise you on what to fix.
*Note: When you download Hijack This Do Not download it to a temp folder or to the desktop. Create a permanent folder somewhere like in My Documents and name it Hijack This and put it in that folder.
Click the "Scan" button when the scan is finished the scan button will become "Save Log" click that and save the log.
Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required. Someone here will be glad to advise you on what to fix.
*Note: When you download Hijack This Do Not download it to a temp folder or to the desktop. Create a permanent folder somewhere like in My Documents and name it Hijack This and put it in that folder.
hi, thanks very much, this is the log, please tell me if there is any thing there that should'nt be or anything similar. thanks.
Logfile of HijackThis v1.97.7
Scan saved at 20:13:12, on 27/03/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v5.50 SP1 (5.50.4522.1800)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\FYVV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MEDIASCAPE\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\Mediascape\OnScreen Display\OSD.exe
C:\PROGRAM FILES\TEXTBRIDGE CLASSIC 2.0\BIN\INSTANTACCESS.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\PROGRAM FILES\A4TECH\KEYBOARD\IKEYMAIN.EXE
C:\PROGRAM FILES\A4TECH\MOUSE\AMOUMAIN.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\DCFSSVC.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\LSASS.EXE
C:\WINDOWS\SYSTEM\FYVV.EXE
C:\WINDOWS\SYSTEM\WINLOGON.EXE
C:\PROGRAM FILES\CALENDAR CREATOR CHRISTIAN\SCHEDULER.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTRSS.EXE
C:\WINDOWS\TEMP\UK4.EXE
C:\WINDOWS\DESKTOP\ANDRE COURSEWORK\HTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://freehqmovies.com/search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://freehqmovies.com/search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://freehqmovies.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.123found.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.learndirect.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://freehqmovies.com/search
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://freehqmovies.com/search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.fastwebfinder.com/hp.php
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.freeserve.com/
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Multimedia Keyboard] C:\Mediascape\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [OnScreen Display] C:\Mediascape\OnScreen Display\OSD.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\Run: [cAg0u] C:\WINDOWS\SYSTEM\74AC79E0.hta
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\A4TECH\KEYBOARD\IKEYMAIN.EXE
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4TECH\MOUSE\AMOUMAIN.EXE
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [RapidBlaster] c:\program files\RapidBlaster\rb32.exe
O4 - HKLM\..\Run: [Dcfssvc] c:\windows\System32\Drivers\dcfssvc.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [System Process] C:\WINDOWS\lsass.exe /i
O4 - HKLM\..\Run: [Hot_Kiss] C:\WINDOWS\Hot_Kiss.exe -n
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [Microsoft Works Update Detection] I\WkDetect.exe
O4 - HKCU\..\Run: [iedll] C:\WINDOWS\iedll.exe
O4 - HKCU\..\Run: [loader] C:\WINDOWS\LOADER.EXE
O4 - HKCU\..\Run: [Windows & Internet Cleaner Pro] C:\Program Files\Windows & Internet Cleaner Pro\WICleaner.exe /Startup
O4 - HKCU\..\Run: [System Update] C:\WINDOWS\System\winlogon.exe
O4 - HKLM\..\RunOnce: [tih] fyvv.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\OFFICE\OSA9.EXE
O4 - Startup: Scheduler.lnk = C:\Program Files\Calendar Creator Christian\Scheduler.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Library Manager.pif = C:\DRIVERS\TATTOO.EXE
O4 - Startup: cuy.exe
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Freeserve (HKCU)
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.learndirect.co.uk
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {8100A35F-FFA1-471F-AC9A-2A8847BE78DF} (IberoDialer Class) - http://213.201.69.103/data/dialercab/DialerDLLRTB.cab
O16 - DPF: {2C1651EF-8827-11D6-91A2-00E02964E8E3} (IntRuboskizo Class) - http://www.chicasmodelos.com/ruboskizo.cab
O16 - DPF: {F0AA2376-F073-4E57-86E8-0238F99087C7} (AInst Class) - http://216.129.173.30/xxxnaughty/activeinstaller.dll
O16 - DPF: {11111111-1111-1111-1111-111111111111} - http://usa-download.nocreditcard.net/download/newdial-erp/2736/dialer.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://www.contentwatch.com/audit/includes/ContentAuditControl.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
Logfile of HijackThis v1.97.7
Scan saved at 20:13:12, on 27/03/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v5.50 SP1 (5.50.4522.1800)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\FYVV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MEDIASCAPE\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\Mediascape\OnScreen Display\OSD.exe
C:\PROGRAM FILES\TEXTBRIDGE CLASSIC 2.0\BIN\INSTANTACCESS.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\PROGRAM FILES\A4TECH\KEYBOARD\IKEYMAIN.EXE
C:\PROGRAM FILES\A4TECH\MOUSE\AMOUMAIN.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\DCFSSVC.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\LSASS.EXE
C:\WINDOWS\SYSTEM\FYVV.EXE
C:\WINDOWS\SYSTEM\WINLOGON.EXE
C:\PROGRAM FILES\CALENDAR CREATOR CHRISTIAN\SCHEDULER.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTRSS.EXE
C:\WINDOWS\TEMP\UK4.EXE
C:\WINDOWS\DESKTOP\ANDRE COURSEWORK\HTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://freehqmovies.com/search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://freehqmovies.com/search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://freehqmovies.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.123found.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.learndirect.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://freehqmovies.com/search
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://freehqmovies.com/search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.fastwebfinder.com/hp.php
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.freeserve.com/
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Multimedia Keyboard] C:\Mediascape\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [OnScreen Display] C:\Mediascape\OnScreen Display\OSD.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\Run: [cAg0u] C:\WINDOWS\SYSTEM\74AC79E0.hta
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\A4TECH\KEYBOARD\IKEYMAIN.EXE
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4TECH\MOUSE\AMOUMAIN.EXE
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [RapidBlaster] c:\program files\RapidBlaster\rb32.exe
O4 - HKLM\..\Run: [Dcfssvc] c:\windows\System32\Drivers\dcfssvc.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [System Process] C:\WINDOWS\lsass.exe /i
O4 - HKLM\..\Run: [Hot_Kiss] C:\WINDOWS\Hot_Kiss.exe -n
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [Microsoft Works Update Detection] I\WkDetect.exe
O4 - HKCU\..\Run: [iedll] C:\WINDOWS\iedll.exe
O4 - HKCU\..\Run: [loader] C:\WINDOWS\LOADER.EXE
O4 - HKCU\..\Run: [Windows & Internet Cleaner Pro] C:\Program Files\Windows & Internet Cleaner Pro\WICleaner.exe /Startup
O4 - HKCU\..\Run: [System Update] C:\WINDOWS\System\winlogon.exe
O4 - HKLM\..\RunOnce: [tih] fyvv.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\OFFICE\OSA9.EXE
O4 - Startup: Scheduler.lnk = C:\Program Files\Calendar Creator Christian\Scheduler.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Library Manager.pif = C:\DRIVERS\TATTOO.EXE
O4 - Startup: cuy.exe
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Freeserve (HKCU)
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.learndirect.co.uk
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {8100A35F-FFA1-471F-AC9A-2A8847BE78DF} (IberoDialer Class) - http://213.201.69.103/data/dialercab/DialerDLLRTB.cab
O16 - DPF: {2C1651EF-8827-11D6-91A2-00E02964E8E3} (IntRuboskizo Class) - http://www.chicasmodelos.com/ruboskizo.cab
O16 - DPF: {F0AA2376-F073-4E57-86E8-0238F99087C7} (AInst Class) - http://216.129.173.30/xxxnaughty/activeinstaller.dll
O16 - DPF: {11111111-1111-1111-1111-111111111111} - http://usa-download.nocreditcard.net/download/newdial-erp/2736/dialer.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://www.contentwatch.com/audit/includes/ContentAuditControl.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
Joined
·
46,465 Posts
Click here to download CWShredder. Close all browser windows,UnZip the file, click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing.
When it is finished restart your computer.
IMPORTANT!: To help prevent this from happening again, I strongly recommend you install the patches for the vulnerabilities that this hijacker exploits.
The simplest way to make sure you have all the security patches is to go to Windows update and install all "Critical Updates and Service Packs"
Go here and download Adaware 6 Build 181
Install the program and launch it.
First in the main window look in the bottom right corner and click on Check for updates now and download the latest referencefiles.
Make sure the following settings are made and on -------ON=GREEN
From main window :Click Start then Activate in-depth scan (recommended)
Click Use custom scanning options then click Customize and have these options selected: Under Drives and Folders put a check by Scan within archives and below that under Memory and Registry put a check by all the options there.
Now click on the Tweak button in that same window. Under Scanning engine select Unload recognized processes during scanning and under Cleaning Engine select Let windows remove files in use at next reboot
Click proceed to save your settings.
Now to scan just click the Next button.
When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)
Restart your computer.
Then go here and download Spybot Search & Destroy.
Install the program and launch it.
Before scanning press Online and Search for Updates .
Put a check mark at and install all updates.
Click Check for Problems and when the scan is finished let Spybot fix/remove all it finds marked in RED.
Restart your computer.
Come back here and post another Hijack This log and we'll get rid of what's left.
When it is finished restart your computer.
IMPORTANT!: To help prevent this from happening again, I strongly recommend you install the patches for the vulnerabilities that this hijacker exploits.
The simplest way to make sure you have all the security patches is to go to Windows update and install all "Critical Updates and Service Packs"
Go here and download Adaware 6 Build 181
Install the program and launch it.
First in the main window look in the bottom right corner and click on Check for updates now and download the latest referencefiles.
Make sure the following settings are made and on -------ON=GREEN
From main window :Click Start then Activate in-depth scan (recommended)
Click Use custom scanning options then click Customize and have these options selected: Under Drives and Folders put a check by Scan within archives and below that under Memory and Registry put a check by all the options there.
Now click on the Tweak button in that same window. Under Scanning engine select Unload recognized processes during scanning and under Cleaning Engine select Let windows remove files in use at next reboot
Click proceed to save your settings.
Now to scan just click the Next button.
When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)
Restart your computer.
Then go here and download Spybot Search & Destroy.
Install the program and launch it.
Before scanning press Online and Search for Updates .
Put a check mark at and install all updates.
Click Check for Problems and when the scan is finished let Spybot fix/remove all it finds marked in RED.
Restart your computer.
Come back here and post another Hijack This log and we'll get rid of what's left.
Joined
·
46,465 Posts
If you don't have a zip utility you can download the trial version of WinZip from here:
http://www.winzip.com/downwz.htm
http://www.winzip.com/downwz.htm
Joined
·
56,593 Posts
First Name -
Derek
if you are having problems then downlaod the shredder.exe direct rather than a zip
then we can get rid oof the infection and work out why the files are wrongly associated later
thsi is a direct link to the download
http://homepage.ntlworld.com/dvk01uk/files/cwshredder1534.exe
then we can get rid oof the infection and work out why the files are wrongly associated later
thsi is a direct link to the download
http://homepage.ntlworld.com/dvk01uk/files/cwshredder1534.exe
thank you dvK01 and flrman1, i have downloaded the shredder and the adaware 6, and downloaded the refrence files, but i dont know what to do now, thanks for your help, could you please explain easily from now on what i have to do
thanks.
thanks.
thank you very much for your help, i have done that and this is the log.
Logfile of HijackThis v1.97.7
Scan saved at 18:32:53, on 28/03/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v5.50 SP1 (5.50.4522.1800)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\FYVV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MEDIASCAPE\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\Mediascape\OnScreen Display\OSD.exe
C:\PROGRAM FILES\TEXTBRIDGE CLASSIC 2.0\BIN\INSTANTACCESS.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\PROGRAM FILES\A4TECH\KEYBOARD\IKEYMAIN.EXE
C:\PROGRAM FILES\A4TECH\MOUSE\AMOUMAIN.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\DCFSSVC.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\FYVV.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\LSASS.EXE
C:\WINDOWS\SYSTEM\WINLOGON.EXE
C:\PROGRAM FILES\CALENDAR CREATOR CHRISTIAN\SCHEDULER.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\CMMON32.EXE
C:\WINDOWS\DESKTOP\ANDRE COURSEWORK\HTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.learndirect.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=webcache.blueyonder.co.uk:8080
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.freeserve.com/
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Multimedia Keyboard] C:\Mediascape\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [OnScreen Display] C:\Mediascape\OnScreen Display\OSD.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\Run: [cAg0u] C:\WINDOWS\SYSTEM\74AC79E0.hta
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\A4TECH\KEYBOARD\IKEYMAIN.EXE
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4TECH\MOUSE\AMOUMAIN.EXE
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [Dcfssvc] c:\windows\System32\Drivers\dcfssvc.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [System Process] C:\WINDOWS\lsass.exe /i
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [Windows & Internet Cleaner Pro] C:\Program Files\Windows & Internet Cleaner Pro\WICleaner.exe /Startup
O4 - HKCU\..\Run: [System Update] C:\WINDOWS\System\winlogon.exe
O4 - HKLM\..\RunOnce: [tih] fyvv.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\OFFICE\OSA9.EXE
O4 - Startup: Scheduler.lnk = C:\Program Files\Calendar Creator Christian\Scheduler.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Library Manager.pif = C:\DRIVERS\TATTOO.EXE
O4 - Startup: cuy.exe
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.learndirect.co.uk
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {8100A35F-FFA1-471F-AC9A-2A8847BE78DF} (IberoDialer Class) - http://213.201.69.103/data/dialercab/DialerDLLRTB.cab
O16 - DPF: {2C1651EF-8827-11D6-91A2-00E02964E8E3} (IntRuboskizo Class) - http://www.chicasmodelos.com/ruboskizo.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://www.contentwatch.com/audit/includes/ContentAuditControl.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38074.2056365741
Logfile of HijackThis v1.97.7
Scan saved at 18:32:53, on 28/03/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v5.50 SP1 (5.50.4522.1800)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\FYVV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MEDIASCAPE\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\Mediascape\OnScreen Display\OSD.exe
C:\PROGRAM FILES\TEXTBRIDGE CLASSIC 2.0\BIN\INSTANTACCESS.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\PROGRAM FILES\A4TECH\KEYBOARD\IKEYMAIN.EXE
C:\PROGRAM FILES\A4TECH\MOUSE\AMOUMAIN.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\DCFSSVC.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\FYVV.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\LSASS.EXE
C:\WINDOWS\SYSTEM\WINLOGON.EXE
C:\PROGRAM FILES\CALENDAR CREATOR CHRISTIAN\SCHEDULER.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\CMMON32.EXE
C:\WINDOWS\DESKTOP\ANDRE COURSEWORK\HTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.learndirect.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=webcache.blueyonder.co.uk:8080
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.freeserve.com/
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Multimedia Keyboard] C:\Mediascape\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [OnScreen Display] C:\Mediascape\OnScreen Display\OSD.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\Run: [cAg0u] C:\WINDOWS\SYSTEM\74AC79E0.hta
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\A4TECH\KEYBOARD\IKEYMAIN.EXE
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4TECH\MOUSE\AMOUMAIN.EXE
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [Dcfssvc] c:\windows\System32\Drivers\dcfssvc.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [System Process] C:\WINDOWS\lsass.exe /i
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [Windows & Internet Cleaner Pro] C:\Program Files\Windows & Internet Cleaner Pro\WICleaner.exe /Startup
O4 - HKCU\..\Run: [System Update] C:\WINDOWS\System\winlogon.exe
O4 - HKLM\..\RunOnce: [tih] fyvv.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\OFFICE\OSA9.EXE
O4 - Startup: Scheduler.lnk = C:\Program Files\Calendar Creator Christian\Scheduler.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Library Manager.pif = C:\DRIVERS\TATTOO.EXE
O4 - Startup: cuy.exe
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.learndirect.co.uk
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {8100A35F-FFA1-471F-AC9A-2A8847BE78DF} (IberoDialer Class) - http://213.201.69.103/data/dialercab/DialerDLLRTB.cab
O16 - DPF: {2C1651EF-8827-11D6-91A2-00E02964E8E3} (IntRuboskizo Class) - http://www.chicasmodelos.com/ruboskizo.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://www.contentwatch.com/audit/includes/ContentAuditControl.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38074.2056365741
Joined
·
46,465 Posts
Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O4 - HKLM\..\Run: [cAg0u] C:\WINDOWS\SYSTEM\74AC79E0.hta
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [System Process] C:\WINDOWS\lsass.exe /i
O4 - HKCU\..\Run: [System Update] C:\WINDOWS\System\winlogon.exe
O4 - HKLM\..\RunOnce: [tih] fyvv.exe
O4 - Startup: Library Manager.pif = C:\DRIVERS\TATTOO.EXE
O4 - Startup: cuy.exe
O16 - DPF: {8100A35F-FFA1-471F-AC9A-2A8847BE78DF} (IberoDialer Class) - http://213.201.69.103/data/dialercab/DialerDLLRTB.cab
O16 - DPF: {2C1651EF-8827-11D6-91A2-00E02964E8E3} (IntRuboskizo Class) - http://www.chicasmodelos.com/ruboskizo.cab
Restart to safe mode.
First in safe mode click on My Computer then go to View > Folder Options. Click on the "View" tab and make sure "Show all files" is ticked and uncheck "Hide file extensions for known file types". Click "Like Current Folder" then click "Apply" then "OK"
Now find and delete these files:
The C:\WINDOWS\SYSTEM\74AC79E0.hta file
The C:\WINDOWS\SYSTEM\FYVV.EXE file
The C:\DRIVERS\TATTOO.EXE file
How to start your computer in safe mode
Empty the Recycle Bin.
Go here and do an online virus scan:
http://housecall.trendmicro.com/
Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself.
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O4 - HKLM\..\Run: [cAg0u] C:\WINDOWS\SYSTEM\74AC79E0.hta
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [System Process] C:\WINDOWS\lsass.exe /i
O4 - HKCU\..\Run: [System Update] C:\WINDOWS\System\winlogon.exe
O4 - HKLM\..\RunOnce: [tih] fyvv.exe
O4 - Startup: Library Manager.pif = C:\DRIVERS\TATTOO.EXE
O4 - Startup: cuy.exe
O16 - DPF: {8100A35F-FFA1-471F-AC9A-2A8847BE78DF} (IberoDialer Class) - http://213.201.69.103/data/dialercab/DialerDLLRTB.cab
O16 - DPF: {2C1651EF-8827-11D6-91A2-00E02964E8E3} (IntRuboskizo Class) - http://www.chicasmodelos.com/ruboskizo.cab
Restart to safe mode.
First in safe mode click on My Computer then go to View > Folder Options. Click on the "View" tab and make sure "Show all files" is ticked and uncheck "Hide file extensions for known file types". Click "Like Current Folder" then click "Apply" then "OK"
Now find and delete these files:
The C:\WINDOWS\SYSTEM\74AC79E0.hta file
The C:\WINDOWS\SYSTEM\FYVV.EXE file
The C:\DRIVERS\TATTOO.EXE file
How to start your computer in safe mode
Empty the Recycle Bin.
Go here and do an online virus scan:
http://housecall.trendmicro.com/
Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself.
flrman1, thanks for the help i have done that but have not restarted the computer in safe mode as dont know how, is it possible to help more? this is the log at the moment, what do i need to do next?
the files that i checked and deleted in hijackthis have created backups is this correct?
thanks
Logfile of HijackThis v1.97.7
Scan saved at 18:34:44, on 29/03/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v5.50 SP1 (5.50.4522.1800)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\FYVV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MEDIASCAPE\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\Mediascape\OnScreen Display\OSD.exe
C:\PROGRAM FILES\TEXTBRIDGE CLASSIC 2.0\BIN\INSTANTACCESS.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\PROGRAM FILES\A4TECH\KEYBOARD\IKEYMAIN.EXE
C:\PROGRAM FILES\A4TECH\MOUSE\AMOUMAIN.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\DCFSSVC.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\CALENDAR CREATOR CHRISTIAN\SCHEDULER.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\CMMON32.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\ANDRE COURSEWORK\HTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.learndirect.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=webcache.blueyonder.co.uk:8080
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.freeserve.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Multimedia Keyboard] C:\Mediascape\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [OnScreen Display] C:\Mediascape\OnScreen Display\OSD.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\A4TECH\KEYBOARD\IKEYMAIN.EXE
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4TECH\MOUSE\AMOUMAIN.EXE
O4 - HKLM\..\Run: [Dcfssvc] c:\windows\System32\Drivers\dcfssvc.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [Windows & Internet Cleaner Pro] C:\Program Files\Windows & Internet Cleaner Pro\WICleaner.exe /Startup
O4 - HKLM\..\RunOnce: [tih] fyvv.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\OFFICE\OSA9.EXE
O4 - Startup: Scheduler.lnk = C:\Program Files\Calendar Creator Christian\Scheduler.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.learndirect.co.uk
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://www.contentwatch.com/audit/includes/ContentAuditControl.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38074.2056365741
the files that i checked and deleted in hijackthis have created backups is this correct?
thanks
Logfile of HijackThis v1.97.7
Scan saved at 18:34:44, on 29/03/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v5.50 SP1 (5.50.4522.1800)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\FYVV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MEDIASCAPE\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\Mediascape\OnScreen Display\OSD.exe
C:\PROGRAM FILES\TEXTBRIDGE CLASSIC 2.0\BIN\INSTANTACCESS.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\PROGRAM FILES\A4TECH\KEYBOARD\IKEYMAIN.EXE
C:\PROGRAM FILES\A4TECH\MOUSE\AMOUMAIN.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\DCFSSVC.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\CALENDAR CREATOR CHRISTIAN\SCHEDULER.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\CMMON32.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\ANDRE COURSEWORK\HTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.learndirect.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=webcache.blueyonder.co.uk:8080
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.freeserve.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Multimedia Keyboard] C:\Mediascape\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [OnScreen Display] C:\Mediascape\OnScreen Display\OSD.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\A4TECH\KEYBOARD\IKEYMAIN.EXE
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4TECH\MOUSE\AMOUMAIN.EXE
O4 - HKLM\..\Run: [Dcfssvc] c:\windows\System32\Drivers\dcfssvc.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [Windows & Internet Cleaner Pro] C:\Program Files\Windows & Internet Cleaner Pro\WICleaner.exe /Startup
O4 - HKLM\..\RunOnce: [tih] fyvv.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\OFFICE\OSA9.EXE
O4 - Startup: Scheduler.lnk = C:\Program Files\Calendar Creator Christian\Scheduler.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.learndirect.co.uk
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://www.contentwatch.com/audit/includes/ContentAuditControl.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38074.2056365741
Joined
·
46,465 Posts
Fix this one:
O4 - HKLM\..\RunOnce: [tih] fyvv.exe
Boot to safe mode and delete these files:
The C:\WINDOWS\SYSTEM\74AC79E0.hta file
The C:\WINDOWS\SYSTEM\FYVV.EXE file
The C:\DRIVERS\TATTOO.EXE file
How to start your computer in safe mode
^^^^^^This link shows you how to boot to safe mode^^^^^^^
Did you do the online virus scan?
O4 - HKLM\..\RunOnce: [tih] fyvv.exe
Boot to safe mode and delete these files:
The C:\WINDOWS\SYSTEM\74AC79E0.hta file
The C:\WINDOWS\SYSTEM\FYVV.EXE file
The C:\DRIVERS\TATTOO.EXE file
How to start your computer in safe mode
^^^^^^This link shows you how to boot to safe mode^^^^^^^
Did you do the online virus scan?
thanks for your help, i have done that, this is the log.
it has created backups of all these, is this correct?
i have not done the safe mode thing, can you please tell me what i have to do now? thanks.
Logfile of HijackThis v1.97.7
Scan saved at 18:34:44, on 29/03/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v5.50 SP1 (5.50.4522.1800)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\FYVV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MEDIASCAPE\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\Mediascape\OnScreen Display\OSD.exe
C:\PROGRAM FILES\TEXTBRIDGE CLASSIC 2.0\BIN\INSTANTACCESS.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\PROGRAM FILES\A4TECH\KEYBOARD\IKEYMAIN.EXE
C:\PROGRAM FILES\A4TECH\MOUSE\AMOUMAIN.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\DCFSSVC.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\CALENDAR CREATOR CHRISTIAN\SCHEDULER.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\CMMON32.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\ANDRE COURSEWORK\HTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.learndirect.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=webcache.blueyonder.co.uk:8080
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.freeserve.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Multimedia Keyboard] C:\Mediascape\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [OnScreen Display] C:\Mediascape\OnScreen Display\OSD.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\A4TECH\KEYBOARD\IKEYMAIN.EXE
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4TECH\MOUSE\AMOUMAIN.EXE
O4 - HKLM\..\Run: [Dcfssvc] c:\windows\System32\Drivers\dcfssvc.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [Windows & Internet Cleaner Pro] C:\Program Files\Windows & Internet Cleaner Pro\WICleaner.exe /Startup
O4 - HKLM\..\RunOnce: [tih] fyvv.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\OFFICE\OSA9.EXE
O4 - Startup: Scheduler.lnk = C:\Program Files\Calendar Creator Christian\Scheduler.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.learndirect.co.uk
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://www.contentwatch.com/audit/includes/ContentAuditControl.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38074.2056365741
it has created backups of all these, is this correct?
i have not done the safe mode thing, can you please tell me what i have to do now? thanks.
Logfile of HijackThis v1.97.7
Scan saved at 18:34:44, on 29/03/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v5.50 SP1 (5.50.4522.1800)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\FYVV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MEDIASCAPE\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\Mediascape\OnScreen Display\OSD.exe
C:\PROGRAM FILES\TEXTBRIDGE CLASSIC 2.0\BIN\INSTANTACCESS.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\PROGRAM FILES\A4TECH\KEYBOARD\IKEYMAIN.EXE
C:\PROGRAM FILES\A4TECH\MOUSE\AMOUMAIN.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\DCFSSVC.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\CALENDAR CREATOR CHRISTIAN\SCHEDULER.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\CMMON32.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\ANDRE COURSEWORK\HTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.learndirect.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=webcache.blueyonder.co.uk:8080
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.freeserve.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Multimedia Keyboard] C:\Mediascape\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [OnScreen Display] C:\Mediascape\OnScreen Display\OSD.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\A4TECH\KEYBOARD\IKEYMAIN.EXE
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4TECH\MOUSE\AMOUMAIN.EXE
O4 - HKLM\..\Run: [Dcfssvc] c:\windows\System32\Drivers\dcfssvc.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [Windows & Internet Cleaner Pro] C:\Program Files\Windows & Internet Cleaner Pro\WICleaner.exe /Startup
O4 - HKLM\..\RunOnce: [tih] fyvv.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\OFFICE\OSA9.EXE
O4 - Startup: Scheduler.lnk = C:\Program Files\Calendar Creator Christian\Scheduler.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.learndirect.co.uk
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://www.contentwatch.com/audit/includes/ContentAuditControl.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38074.2056365741
1 - 20 of 30 Posts
- Status
Join the discussion
