Tech Support Guy banner
  • Please post in our Community Feedback thread for help with the new forum software! If you are having trouble logging in, please Contact Us for assistance.
Status
Not open for further replies.
1 - 20 of 21 Posts

·
Registered
Joined
·
37 Posts
Discussion Starter · #1 ·
can someone tell me which of these I can safely delete..I'm currently running windows98...thanx

Logfile of HijackThis v1.97.2
Scan saved at 23:17:31, on 3/26/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRA~1\NETROPA\ONSCRE~1\OSD.EXE
C:\TOOLS_95\IMGICON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\AIM95\AIM.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0\AOL.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0\WAOL.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mchsi.com/pace
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Mediacom Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r21.mchsi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *r21.mchsi.com;localhost
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Startup: Iomega Startup Options.lnk = C:\Tools_95\IMGSTART.EXE
O4 - Startup: Iomega Watch.lnk = C:\Tools_95\IOWATCH.EXE
O4 - Startup: Zip Disk Icons.lnk = C:\Tools_95\IMGICON.EXE
O9 - Extra button: Trace (HKLM)
O9 - Extra 'Tools' menuitem: VisualRoute Trace (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Whistle (HKLM)
O9 - Extra button: Voiceglo directory (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
 

·
Registered
Joined
·
420 Posts
Hi MikeFL , Your log looks fine!... Create a New Folder in C:\Program Files named -> Hijack This , Place Hijack.exe This in the new Folder , Right Mouse click Hijack This.exe , Select ''Create Shortcut'' , and place the new Shortcut to Hijack This on your Desktop for future use.

Good luck
 

·
Registered
Joined
·
37 Posts
Discussion Starter · #3 ·
thanx for the reply...but I have a problem w/my puter...when ever I try to log onto aol...I keep getting a lil box that pops up saying that I need to download aol player files and then my puter goes into standby.. I'm curriently using windows 98 and have cable hook up...I haven't had this problem until recelntly... HELP! its so darn frustrating....
 

·
Registered
Joined
·
37 Posts
Discussion Starter · #5 ·
here's the new hijack log...which should I safely delete?

Logfile of HijackThis v1.97.7
Scan saved at 14:24:52, on 3/27/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\LYCOS\IEAGENT\LOADER.EXE
C:\PROGRAM FILES\N-CASE\MSBB.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRA~1\NETROPA\ONSCRE~1\OSD.EXE
C:\TOOLS_95\IMGICON.EXE
C:\WINDOWS\0866KTKQ.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mchsi.com/pace
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Mediacom Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r21.mchsi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *r21.mchsi.com;localhost
O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\PROGRA~1\LYCOS\IEAGENT\CSIE.DLL
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [ClrSchLoader] \Progra~1\Lycos\IEagent\Loader.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
O4 - HKLM\..\Run: [msbb] c:\program files\n-case\msbb.exe
O4 - HKLM\..\Run: [knypqrqh] C:\WINDOWS\knypqrqh.exe
O4 - HKLM\..\Run: [0866KTKQ.EXE] C:\WINDOWS\0866KTKQ.EXE /dk
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [0866KTKQ.EXE] C:\WINDOWS\0866KTKQ.EXE /dk
O4 - Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Startup: Iomega Startup Options.lnk = C:\Tools_95\IMGSTART.EXE
O4 - Startup: Iomega Watch.lnk = C:\Tools_95\IOWATCH.EXE
O4 - Startup: Zip Disk Icons.lnk = C:\Tools_95\IMGICON.EXE
O4 - Startup: MORZE5.lnk = C:\WINDOWS\morze5.exe
O4 - Startup: C6MIIMJ1.lnk = C:\WINDOWS\c6miimj1.exe
O4 - Startup: 0866KTKQ.lnk = C:\WINDOWS\0866ktkq.exe
O4 - Global Startup: MORZE5.lnk = C:\WINDOWS\morze5.exe
O4 - Global Startup: C6MIIMJ1.lnk = C:\WINDOWS\c6miimj1.exe
O4 - Global Startup: 0866KTKQ.lnk = C:\WINDOWS\0866ktkq.exe
O9 - Extra button: Trace (HKLM)
O9 - Extra 'Tools' menuitem: VisualRoute Trace (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Whistle (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
 

·
Administrator
Joined
·
123,536 Posts
The latest version of HJT shows that you have loader.exe which, I believe, is a variant of CoolWebSearch or at least trojan related.

I will request that this thread be moved to the Security forum.

Cookie
 

·
Registered
Joined
·
46,353 Posts
I've moved this to the Security forum.

Give me a few minutes to look through the log.
 

·
Registered
Joined
·
46,353 Posts
First please do this:

Navigate to the C:\WINDOWS folder and locate the 0866KTKQ.EXE file. Copy that file and put it in a zipped folder and send it to me here. Please include a link to this thread so I'll remember where it came from.

Now I'm going to ask you to boot to safe mode to do these fixes with HJT so you will need to copy theses instructions to notepad.

Boot to safe mode:

How to start your computer in safe mode.

In safe mode click on My Computer then go to View > Folder Options. Click on the "View" tab and make sure "Show all files" is ticked and uncheck "Hide file extensions for known file types". Click "Like Current Folder" then click "Apply" then "OK"

Now run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll

O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\PROGRA~1\LYCOS\IEAGENT\CSIE.DLL

O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL

O4 - HKLM\..\Run: [ClrSchLoader] \Progra~1\Lycos\IEagent\Loader.exe

O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun

O4 - HKLM\..\Run: [msbb] c:\program files\n-case\msbb.exe

O4 - HKLM\..\Run: [knypqrqh] C:\WINDOWS\knypqrqh.exe

O4 - HKLM\..\Run: [0866KTKQ.EXE] C:\WINDOWS\0866KTKQ.EXE /dk

O4 - Startup: MORZE5.lnk = C:\WINDOWS\morze5.exe

O4 - Startup: C6MIIMJ1.lnk = C:\WINDOWS\c6miimj1.exe

O4 - Startup: 0866KTKQ.lnk = C:\WINDOWS\0866ktkq.exe

O4 - Global Startup: MORZE5.lnk = C:\WINDOWS\morze5.exe

O4 - Global Startup: C6MIIMJ1.lnk = C:\WINDOWS\c6miimj1.exe

O4 - Global Startup: 0866KTKQ.lnk = C:\WINDOWS\0866ktkq.exe


Now open the C:\Windows folder and find and delete these files:

0866ktkq.exe
morze5.exe
c6miimj1.exe
knypqrqh.exe


Also open the C:\PROGRAM FILES folder and delete these folders:

Lycos
n-case
 

·
Registered
Joined
·
37 Posts
Discussion Starter · #9 ·
hello again...I've done the above like you advised... my pc is still acting a lil strange when booting up... here's the new HJT log...should I delete anything else? What about all the start up files? seems there a lot more now????
>>
Logfile of HijackThis v1.97.7
Scan saved at 23:04:54, on 3/27/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRA~1\NETROPA\ONSCRE~1\OSD.EXE
C:\WINDOWS\EMTPT0LE.EXE
C:\TOOLS_95\IMGICON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mchsi.com/pace
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Mediacom Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r21.mchsi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *r21.mchsi.com;localhost
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EMTPT0LE.EXE] C:\WINDOWS\EMTPT0LE.EXE /dk
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [EMTPT0LE.EXE] C:\WINDOWS\EMTPT0LE.EXE /dk
O4 - Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Startup: Iomega Startup Options.lnk = C:\Tools_95\IMGSTART.EXE
O4 - Startup: Iomega Watch.lnk = C:\Tools_95\IOWATCH.EXE
O4 - Startup: Zip Disk Icons.lnk = C:\Tools_95\IMGICON.EXE
O4 - Global Startup: MORZE1.lnk = C:\WINDOWS\lozwtpjf.exe
O4 - Global Startup: QGQ4DOVD.lnk = C:\WINDOWS\qgq4dovd.exe
O4 - Global Startup: ZM0VO626.lnk = C:\WINDOWS\zm0vo626.exe
O4 - Global Startup: LOZWTPJF.lnk = C:\WINDOWS\lozwtpjf.exe
O4 - Global Startup: MRMXNC7J.lnk = C:\WINDOWS\mrmxnc7j.exe
O4 - Global Startup: 8OR29MLX.lnk = C:\WINDOWS\8or29mlx.exe
O4 - Global Startup: ALGXB57N.lnk = C:\WINDOWS\algxb57n.exe
O4 - Global Startup: MZYD60WE.lnk = C:\WINDOWS\mzyd60we.exe
O4 - Global Startup: EMTPT0LE.lnk = C:\WINDOWS\emtpt0le.exe
O9 - Extra button: Trace (HKLM)
O9 - Extra 'Tools' menuitem: VisualRoute Trace (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Whistle (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
 

·
Registered
Joined
·
46,353 Posts
Boot to safe mode again and run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

O4 - HKCU\..\Run: [EMTPT0LE.EXE] C:\WINDOWS\EMTPT0LE.EXE /dk

O4 - Global Startup: MORZE1.lnk = C:\WINDOWS\lozwtpjf.exe

O4 - Global Startup: QGQ4DOVD.lnk = C:\WINDOWS\qgq4dovd.exe

O4 - Global Startup: ZM0VO626.lnk = C:\WINDOWS\zm0vo626.exe

O4 - Global Startup: LOZWTPJF.lnk = C:\WINDOWS\lozwtpjf.exe

O4 - Global Startup: MRMXNC7J.lnk = C:\WINDOWS\mrmxnc7j.exe

O4 - Global Startup: 8OR29MLX.lnk = C:\WINDOWS\8or29mlx.exe

O4 - Global Startup: ALGXB57N.lnk = C:\WINDOWS\algxb57n.exe

O4 - Global Startup: MZYD60WE.lnk = C:\WINDOWS\mzyd60we.exe

O4 - Global Startup: EMTPT0LE.lnk = C:\WINDOWS\emtpt0le.exe


Open the C:\Windows folder and delete these files:

emtpt0le.exe
mzyd60we.exe
algxb57n.exe
8or29mlx.exe
mrmxnc7j.exe
lozwtpjf.exe
zm0vo626.exe
qgq4dovd.exe


Also in the Windows folder find the Temp folder and go to Edit > Select All then Edit > Delete and delete everything in the Temp folder.

Now go to Control Panel > Internet Options and on the General tab under "Temporary Internet Files" Click "Delete Files". In the box that pops up put a check by "Delete offline content" then click OK.

Boot back to normal and post another log please.
 

·
Registered
Joined
·
37 Posts
Discussion Starter · #11 ·
hi there..here's the new HJT log...I have no idea why the new start up files keep coming back..??? plus when I load windows a small box appears say it's trying to locate short cuts?

Logfile of HijackThis v1.97.7
Scan saved at 12:19:56, on 3/28/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRA~1\NETROPA\ONSCRE~1\OSD.EXE
C:\TOOLS_95\IMGICON.EXE
C:\WINDOWS\O2IYGB2F.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mchsi.com/pace
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Mediacom Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r21.mchsi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *r21.mchsi.com;localhost
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [O2IYGB2F.EXE] C:\WINDOWS\O2IYGB2F.EXE /dk
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [O2IYGB2F.EXE] C:\WINDOWS\O2IYGB2F.EXE /dk
O4 - Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Startup: Iomega Startup Options.lnk = C:\Tools_95\IMGSTART.EXE
O4 - Startup: Iomega Watch.lnk = C:\Tools_95\IOWATCH.EXE
O4 - Startup: Zip Disk Icons.lnk = C:\Tools_95\IMGICON.EXE
O4 - Startup: DRZ62ROI.lnk = C:\WINDOWS\drz62roi.exe
O4 - Startup: 7NJIUR4R.lnk = C:\WINDOWS\7njiur4r.exe
O4 - Startup: DFF0F4HN.lnk = C:\WINDOWS\dff0f4hn.exe
O4 - Startup: O5R80OJM.lnk = C:\WINDOWS\o5r80ojm.exe
O4 - Startup: BNBV1UO5.lnk = C:\WINDOWS\bnbv1uo5.exe
O4 - Startup: JG9168DQ.lnk = C:\WINDOWS\jg9168dq.exe
O4 - Startup: VMHY4792.lnk = C:\WINDOWS\vmhy4792.exe
O4 - Startup: QN82IVDO.lnk = C:\WINDOWS\qn82ivdo.exe
O4 - Startup: F3O0R5H8.lnk = C:\WINDOWS\f3o0r5h8.exe
O4 - Startup: MXD2YQN3.lnk = C:\WINDOWS\mxd2yqn3.exe
O4 - Startup: H140GFXI.lnk = C:\WINDOWS\h140gfxi.exe
O4 - Startup: O2IYGB2F.lnk = C:\WINDOWS\o2iygb2f.exe
O4 - Global Startup: BNBV1UO5.lnk = C:\WINDOWS\bnbv1uo5.exe
O4 - Global Startup: MXD2YQN3.lnk = C:\WINDOWS\mxd2yqn3.exe
O4 - Global Startup: DRZ62ROI.lnk = C:\WINDOWS\drz62roi.exe
O4 - Global Startup: 7NJIUR4R.lnk = C:\WINDOWS\7njiur4r.exe
O4 - Global Startup: H140GFXI.lnk = C:\WINDOWS\h140gfxi.exe
O4 - Global Startup: O2IYGB2F.lnk = C:\WINDOWS\o2iygb2f.exe
O9 - Extra button: Trace (HKLM)
O9 - Extra 'Tools' menuitem: VisualRoute Trace (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Whistle (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
 

·
Registered
Joined
·
46,353 Posts
Are you doing it in safe mode? Are you making sure you don't miss anything?

Also are you deleting the Temp files?
 

·
Registered
Joined
·
37 Posts
Discussion Starter · #14 ·
yes, I done just like you told me..I dont think I missed anything...I even deleted all from my trash bin too...but I noticed that after I run the HJT program I have a lot of short cut files on my desk top... I also deleted those too...
 

·
Registered
Joined
·
46,353 Posts
Create a folder in My Documents and name it Hijack This. Move the hijackthis.exe file from your desktop to the new Hijack This folder. That way it will store the backups in that folder and not scatter them all over your desktop.

OK let's try again and this time doublecheck and triplecheck to make sure you don't miss anything.

Boot to safe mode.

In safe mode run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

O4 - HKLM\..\Run: [O2IYGB2F.EXE] C:\WINDOWS\O2IYGB2F.EXE /dk

O4 - HKCU\..\Run: [O2IYGB2F.EXE] C:\WINDOWS\O2IYGB2F.EXE /dk

O4 - Startup: DRZ62ROI.lnk = C:\WINDOWS\drz62roi.exe

O4 - Startup: 7NJIUR4R.lnk = C:\WINDOWS\7njiur4r.exe

O4 - Startup: DFF0F4HN.lnk = C:\WINDOWS\dff0f4hn.exe

O4 - Startup: O5R80OJM.lnk = C:\WINDOWS\o5r80ojm.exe

O4 - Startup: BNBV1UO5.lnk = C:\WINDOWS\bnbv1uo5.exe

O4 - Startup: JG9168DQ.lnk = C:\WINDOWS\jg9168dq.exe

O4 - Startup: VMHY4792.lnk = C:\WINDOWS\vmhy4792.exe

O4 - Startup: QN82IVDO.lnk = C:\WINDOWS\qn82ivdo.exe

O4 - Startup: F3O0R5H8.lnk = C:\WINDOWS\f3o0r5h8.exe

O4 - Startup: MXD2YQN3.lnk = C:\WINDOWS\mxd2yqn3.exe

O4 - Startup: H140GFXI.lnk = C:\WINDOWS\h140gfxi.exe

O4 - Startup: O2IYGB2F.lnk = C:\WINDOWS\o2iygb2f.exe

O4 - Global Startup: BNBV1UO5.lnk = C:\WINDOWS\bnbv1uo5.exe

O4 - Global Startup: MXD2YQN3.lnk = C:\WINDOWS\mxd2yqn3.exe

O4 - Global Startup: DRZ62ROI.lnk = C:\WINDOWS\drz62roi.exe

O4 - Global Startup: 7NJIUR4R.lnk = C:\WINDOWS\7njiur4r.exe

O4 - Global Startup: H140GFXI.lnk = C:\WINDOWS\h140gfxi.exe

O4 - Global Startup: O2IYGB2F.lnk = C:\WINDOWS\o2iygb2f.exe


Now open the C:\Windows folder and find and delete these files:

O2IYGB2F.EXE
drz62roi.exe
7njiur4r.exe
dff0f4hn.exe
o5r80ojm.exe
bnbv1uo5.exe
jg9168dq.exe
vmhy4792.exe
qn82ivdo.exe
f3o0r5h8.exe
mxd2yqn3.exe
h140gfxi.exe
o2iygb2f.exe


Also in the Windows folder find the Temp folder and go to Edit > Select All then Edit > Delete and delete everything in the Temp folder.

Now go to Control Panel > Internet Options and on the General tab under "Temporary Internet Files" Click "Delete Files". In the box that pops up put a check by "Delete offline content" then click OK.

Boot back to normal and post another log please.
 

·
Registered
Joined
·
37 Posts
Discussion Starter · #16 ·
thanx for your help.... all is well now...
so far so good :)

Logfile of HijackThis v1.97.7
Scan saved at 14:11:52, on 3/28/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\RunDLL.exe
C:\TOOLS_95\IMGICON.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRA~1\NETROPA\ONSCRE~1\OSD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\MY DOCUMENTS\HIJACK THIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mchsi.com/pace
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Mediacom Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r21.mchsi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *r21.mchsi.com;localhost
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Startup: Iomega Startup Options.lnk = C:\Tools_95\IMGSTART.EXE
O4 - Startup: Iomega Watch.lnk = C:\Tools_95\IOWATCH.EXE
O4 - Startup: Zip Disk Icons.lnk = C:\Tools_95\IMGICON.EXE
O9 - Extra button: Trace (HKLM)
O9 - Extra 'Tools' menuitem: VisualRoute Trace (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Whistle (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
 
1 - 20 of 21 Posts
Status
Not open for further replies.
Top