Tech Support Guy banner
  • Please post in our Community Feedback thread for help with the new forum software! If you are having trouble logging in, please Contact Us for assistance.
Status
Not open for further replies.
1 - 7 of 7 Posts

·
Registered
Joined
·
3 Posts
Discussion Starter · #1 ·
Hi,

For several weeks I've had annoying pop ups.
Tried adaware, BPS spyware remover, Zone alarm, and a NAV scan.

This is my hijackthis log:

Logfile of HijackThis v1.97.7
Scan saved at 6:12:59 PM, on 19/Mar/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPEXRT.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\SPEEDKEY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\MDMSETSP.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\WINDOWS\SM56HLPR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\YQ9B.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
D:\INTERNET DOWNLOADS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://209.120.179.64/search.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://209.120.179.64/search.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
F1 - win.ini: run=hpfsched
O1 - Hosts: 209.120.179.64 auto.search.msn.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_16_0.DLL
O2 - BHO: (no name) - {BDA02F30-6498-461C-8927-10CAD9842929} - C:\WINDOWS\LNWM4ROIM.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_16_0.DLL
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NORTON~1\VPTRAY.EXE
O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [ModemUtility] mdmsetsp.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [u3063P] C:\WINDOWS\yq9B.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\NORTON~1\RTVSCN95.EXE
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\NORTON~1\DEFWATCH.EXE
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O8 - Extra context menu item: îéìåé èôñéí &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: ùîéøú èôñéí &^ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: &äúàîä àéùéú ìúôøéè ìçöï éîðé - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: øåáåôåøí (HKLM)
O9 - Extra 'Tools' menuitem: ñøâì äëìéí ùì øåáåôåøí &2 (HKLM)
O9 - Extra button: îéìåé èôñéí (HKLM)
O9 - Extra 'Tools' menuitem: îéìåé èôñéí &] (HKLM)
O9 - Extra button: ùîéøä (HKLM)
O9 - Extra 'Tools' menuitem: ùîéøú èôñéí &^ (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {4248083C-9656-11D2-8B7F-00105A17847A} - http://downloads.mplayer.com/MplayerAutoInstaller.exe
O16 - DPF: {049BE102-0FB8-11D3-8A45-E7C668181257} - https://secure.digigoods.com/swinstall/softlock.cab
O16 - DPF: {16E349E0-702C-11CF-A3A9-00A0C9034920} (Preloader Object) - http://activex.microsoft.com/activex/controls/iexplorer/x86/iepreld.cab
O16 - DPF: {D6526FE0-E651-11CF-99CB-00C04FD64497} (Microsoft MSChat Control Object) - http://activex.microsoft.com/activex/controls/mschat/mschatocx.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {2DE8E1D7-535B-4984-8CD3-BCA3FCB81CB5} (CrossTalk.CrossTalkActiveX) - http://chat.nonstop.net.il/crosstalk/shared/CrossTalk.cab
O16 - DPF: {08C818C3-2F1E-11D0-9223-00A0244D2920} (ChartFX IE Client Object) - https://hb2.bankleumi.co.il/download/cfxax.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O16 - DPF: {00000000-8c7d-4ea8-b113-9163c935d38e} -
O16 - DPF: {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} -
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) - http://www.b2001.org.il/ScriptX.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37995.5753356482
O16 - DPF: {94D2A476-84BC-4E4C-820A-2C5372CF89BF} (MailConfig Class) - http://lotus.netvision.net.il/help/MailCfg.dll
O16 - DPF: {A7798D6C-C6B5-4F26-9363-F7CDBBFFA607} (download Class) - http://www.gigex.com/ActiveX/vxpspeeddelivery.dll
O16 - DPF: {346685E3-C383-11CF-A5A4-00AA00A45705} (ActiveX Control) - http://imd.gonext.co.il/gonext/zazabox/pc/SISActiveX.cab
O16 - DPF: {EFB22865-F3BC-4309-ADFA-C8E078A7F762} (SysWebTelecomInt Class) - http://www.sponsoradulto.com/en/SysWebTelecom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab

Please help!!!
 

·
Registered
Joined
·
46,353 Posts
Hi helpkillpopu

Welcome to TSG! :)

First please do this:

Navigate to the C:\WINDOWS folder and locate the yq9B.exe file. Right click it and choose "Copy". Now paste that copy somewhere convenient like in My Documents then right click it again and choose "Rename" and rename it to yq9B.txt. Attach that renamed copy and send it to me here. Please include a link to this thread so I'll remember where it came from.

After you have sent the file go ahead and delete the copy.

This file may be hidden so click on My Computer then go to View > Folder Options. Click on the "View" tab and make sure "Show all files" is ticked and uncheck "Hide file extensions for known file types". Click "Like Current Folder" then click "Apply" then "OK"

Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://209.120.179.64/search.asp

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://209.120.179.64/search.asp

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R3 - Default URLSearchHook is missing

O1 - Hosts: 209.120.179.64 auto.search.msn.com

O2 - BHO: (no name) - {BDA02F30-6498-461C-8927-10CAD9842929} - C:\WINDOWS\LNWM4ROIM.DLL

O4 - HKLM\..\Run: [u3063P] C:\WINDOWS\yq9B.exe

O16 - DPF: {00000000-8c7d-4ea8-b113-9163c935d38e} -

O16 - DPF: {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} -

O16 - DPF: {A7798D6C-C6B5-4F26-9363-F7CDBBFFA607} (download Class) - http://www.gigex.com/ActiveX/vxpspeeddelivery.dll

O16 - DPF: {EFB22865-F3BC-4309-ADFA-C8E078A7F762} (SysWebTelecomInt Class) - http://www.sponsoradulto.com/en/SysWebTelecom.cab


Restart to safe mode and delete:

The C:\WINDOWS\yq9B.exe file

How to start your computer in safe mode.
 
1 - 7 of 7 Posts
Status
Not open for further replies.
Top